Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7cduUYXDtl.exe

Overview

General Information

Sample Name:7cduUYXDtl.exe
Analysis ID:741320
MD5:db9b9afc1d0a9e384a46fc36b018e605
SHA1:c8e97db53c615bbfdb3c6c412a9d84f66cf22c53
SHA256:fd2fef13a5977859cd31b711618355eaba32082e0863a7e7b2770afff8d7a1fb
Tags:32exetrojan
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Contains functionality to inject code into remote processes
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Drops PE files
Contains functionality to read the PEB
Contains functionality to launch a program with higher privileges
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 7cduUYXDtl.exe (PID: 6020 cmdline: C:\Users\user\Desktop\7cduUYXDtl.exe MD5: DB9B9AFC1D0A9E384A46FC36B018E605)
    • rovwer.exe (PID: 6068 cmdline: "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" MD5: DB9B9AFC1D0A9E384A46FC36B018E605)
      • schtasks.exe (PID: 6112 cmdline: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • rundll32.exe (PID: 5328 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, Main MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • rovwer.exe (PID: 4332 cmdline: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe MD5: DB9B9AFC1D0A9E384A46FC36B018E605)
  • rovwer.exe (PID: 4304 cmdline: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe MD5: DB9B9AFC1D0A9E384A46FC36B018E605)
  • rovwer.exe (PID: 4060 cmdline: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe MD5: DB9B9AFC1D0A9E384A46FC36B018E605)
  • rovwer.exe (PID: 4512 cmdline: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe MD5: DB9B9AFC1D0A9E384A46FC36B018E605)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dllINDICATOR_TOOL_PWS_AmadyDetects password stealer DLL. Dropped by AmadeyditekSHen
    • 0xd868:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
    • 0x15604:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
    • 0x16074:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
    • 0x15158:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
    • 0x151bc:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
    • 0xdd0c:$s3: \Mikrotik\Winbox\Addresses.cdb
    • 0x190d8:$s4: \HostName
    • 0x19100:$s5: \Password
    • 0x17c04:$s6: SOFTWARE\RealVNC\
    • 0x17c30:$s6: SOFTWARE\RealVNC\
    • 0x17c5c:$s6: SOFTWARE\RealVNC\
    • 0x17ca4:$s6: SOFTWARE\RealVNC\
    • 0x17cd0:$s6: SOFTWARE\RealVNC\
    • 0x18008:$s7: SOFTWARE\TightVNC\
    • 0x18034:$s7: SOFTWARE\TightVNC\
    • 0x18060:$s7: SOFTWARE\TightVNC\
    • 0x180ac:$s7: SOFTWARE\TightVNC\
    • 0x1c43c:$s8: cred.dll
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllINDICATOR_TOOL_PWS_AmadyDetects password stealer DLL. Dropped by AmadeyditekSHen
      • 0xd868:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
      • 0x15604:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
      • 0x16074:$s1: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
      • 0x15158:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
      • 0x151bc:$s2: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
      • 0xdd0c:$s3: \Mikrotik\Winbox\Addresses.cdb
      • 0x190d8:$s4: \HostName
      • 0x19100:$s5: \Password
      • 0x17c04:$s6: SOFTWARE\RealVNC\
      • 0x17c30:$s6: SOFTWARE\RealVNC\
      • 0x17c5c:$s6: SOFTWARE\RealVNC\
      • 0x17ca4:$s6: SOFTWARE\RealVNC\
      • 0x17cd0:$s6: SOFTWARE\RealVNC\
      • 0x18008:$s7: SOFTWARE\TightVNC\
      • 0x18034:$s7: SOFTWARE\TightVNC\
      • 0x18060:$s7: SOFTWARE\TightVNC\
      • 0x180ac:$s7: SOFTWARE\TightVNC\
      • 0x1c43c:$s8: cred.dll
      SourceRuleDescriptionAuthorStrings
      00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      0000000A.00000002.596366750.000000000064F000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x10a8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      0000000B.00000002.728180420.000000000072E000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1260:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000005.00000002.347151025.000000000087E000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1210:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      00000000.00000002.310156082.00000000005B9000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
      • 0x1168:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
      Click to see the 5 entries
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: 7cduUYXDtl.exeReversingLabs: Detection: 33%
      Source: 7cduUYXDtl.exeVirustotal: Detection: 30%Perma Link
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllAvira: detection malicious, Label: HEUR/AGEN.1233121
      Source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dllAvira: detection malicious, Label: HEUR/AGEN.1233121
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllReversingLabs: Detection: 88%
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllVirustotal: Detection: 84%Perma Link
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllMetadefender: Detection: 73%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeReversingLabs: Detection: 33%
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeVirustotal: Detection: 30%Perma Link
      Source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dllReversingLabs: Detection: 88%
      Source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dllVirustotal: Detection: 84%Perma Link
      Source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dllMetadefender: Detection: 73%Perma Link
      Source: 7cduUYXDtl.exeJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeUnpacked PE file: 0.2.7cduUYXDtl.exe.400000.0.unpack
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 5.2.rovwer.exe.400000.0.unpack
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 8.2.rovwer.exe.400000.0.unpack
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 10.2.rovwer.exe.400000.0.unpack
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 11.2.rovwer.exe.400000.0.unpack
      Source: 7cduUYXDtl.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: Binary string: C:\yewo\carekobe75\tavohagoso74\dayuxot\yufada\kad98\bufexifipodi.pdb source: 7cduUYXDtl.exe, rovwer.exe.0.dr
      Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: rovwer.exe, rovwer.exe, 00000005.00000003.345774661.0000000002210000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, rovwer.exe, 00000008.00000002.469431299.0000000000400000.00000040.00000001.01000000.00000004.sdmp, rovwer.exe, 00000008.00000002.470449059.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, rovwer.exe, 00000008.00000003.468985129.0000000002110000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000A.00000003.595086987.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000A.00000002.595671022.0000000000400000.00000040.00000001.01000000.00000004.sdmp, rovwer.exe, 0000000A.00000002.596718796.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000B.00000002.727239286.0000000000400000.00000040.00000001.01000000.00000004.sdmp, rovwer.exe, 0000000B.00000002.728483158.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000B.00000003.725621653.0000000002200000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: JC:\yewo\carekobe75\tavohagoso74\dayuxot\yufada\kad98\bufexifipodi.pdb0>C(/@ source: 7cduUYXDtl.exe, rovwer.exe.0.dr
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00420BA6 FindFirstFileExW,0_2_00420BA6
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_00420BA6 FindFirstFileExW,5_2_00420BA6

      Networking

      barindex
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.244.15 80Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.5 80Jump to behavior
      Source: Joe Sandbox ViewASN Name: AEROEXPRESS-ASRU AEROEXPRESS-ASRU
      Source: Joe Sandbox ViewIP Address: 31.41.244.15 31.41.244.15
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00404180 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00404180
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00402C70 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,0_2_00402C70

      System Summary

      barindex
      Source: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 0000000A.00000002.596366750.000000000064F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 0000000B.00000002.728180420.000000000072E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000005.00000002.347151025.000000000087E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.310156082.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000008.00000002.469752989.000000000073E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000008.00000002.470449059.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 0000000B.00000002.728483158.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 0000000A.00000002.596718796.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000005.00000002.346989915.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, type: DROPPEDMatched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPEDMatched rule: Detects password stealer DLL. Dropped by Amadey Author: ditekSHen
      Source: 7cduUYXDtl.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 0000000A.00000002.596366750.000000000064F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 0000000B.00000002.728180420.000000000072E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000005.00000002.347151025.000000000087E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.310156082.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000008.00000002.469752989.000000000073E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000008.00000002.470449059.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 0000000B.00000002.728483158.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 0000000A.00000002.596718796.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000005.00000002.346989915.0000000000700000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, type: DROPPEDMatched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPEDMatched rule: INDICATOR_TOOL_PWS_Amady author = ditekSHen, description = Detects password stealer DLL. Dropped by Amadey
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_0040CBD00_2_0040CBD0
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_004294700_2_00429470
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_0042848D0_2_0042848D
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_004328900_2_00432890
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_021D96D70_2_021D96D7
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_021D86F40_2_021D86F4
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_004294705_2_00429470
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_0042848D5_2_0042848D
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_004328905_2_00432890
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_0040CBD05_2_0040CBD0
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: String function: 00416F50 appears 130 times
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: String function: 00418C40 appears 40 times
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: String function: 00416F50 appears 130 times
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: String function: 00418C40 appears 40 times
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: String function: 021C71B7 appears 53 times
      Source: 7cduUYXDtl.exeStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
      Source: rovwer.exe.0.drStatic PE information: Resource name: RT_VERSION type: Intel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll 351FD9B73FA0CBBDFBCE0793CA41544F5191650D79317A34024F3C09F73AC9BA
      Source: 7cduUYXDtl.exeReversingLabs: Detection: 33%
      Source: 7cduUYXDtl.exeVirustotal: Detection: 30%
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeFile read: C:\Users\user\Desktop\7cduUYXDtl.exeJump to behavior
      Source: 7cduUYXDtl.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\7cduUYXDtl.exe C:\Users\user\Desktop\7cduUYXDtl.exe
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeProcess created: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, Main
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeProcess created: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /FJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, MainJump to behavior
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeFile created: C:\Users\user\AppData\Roaming\80b59841e5c623Jump to behavior
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeFile created: C:\Users\user\AppData\Local\Temp\e94c2b28f2Jump to behavior
      Source: classification engineClassification label: mal100.phis.spyw.evad.winEXE@12/5@0/2
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_0087F23E CreateToolhelp32Snapshot,Module32First,5_2_0087F23E
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, Main
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeMutant created: \Sessions\1\BaseNamedObjects\80b59841e5c6230bb2c2395854fd58ec
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\0a3be1459f3ec0fba69ee09d314c27ba
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: 7cduUYXDtl.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: C:\yewo\carekobe75\tavohagoso74\dayuxot\yufada\kad98\bufexifipodi.pdb source: 7cduUYXDtl.exe, rovwer.exe.0.dr
      Source: Binary string: D:\Mktmp\Amadey\Release\Amadey.pdb source: rovwer.exe, rovwer.exe, 00000005.00000003.345774661.0000000002210000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, rovwer.exe, 00000008.00000002.469431299.0000000000400000.00000040.00000001.01000000.00000004.sdmp, rovwer.exe, 00000008.00000002.470449059.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, rovwer.exe, 00000008.00000003.468985129.0000000002110000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000A.00000003.595086987.00000000021F0000.00000004.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000A.00000002.595671022.0000000000400000.00000040.00000001.01000000.00000004.sdmp, rovwer.exe, 0000000A.00000002.596718796.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000B.00000002.727239286.0000000000400000.00000040.00000001.01000000.00000004.sdmp, rovwer.exe, 0000000B.00000002.728483158.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, rovwer.exe, 0000000B.00000003.725621653.0000000002200000.00000004.00001000.00020000.00000000.sdmp
      Source: Binary string: JC:\yewo\carekobe75\tavohagoso74\dayuxot\yufada\kad98\bufexifipodi.pdb0>C(/@ source: 7cduUYXDtl.exe, rovwer.exe.0.dr

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeUnpacked PE file: 0.2.7cduUYXDtl.exe.400000.0.unpack
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 5.2.rovwer.exe.400000.0.unpack
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 8.2.rovwer.exe.400000.0.unpack
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 10.2.rovwer.exe.400000.0.unpack
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 11.2.rovwer.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeUnpacked PE file: 0.2.7cduUYXDtl.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 5.2.rovwer.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 8.2.rovwer.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 10.2.rovwer.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeUnpacked PE file: 11.2.rovwer.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00418C86 push ecx; ret 0_2_00418C99
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_00418C86 push ecx; ret 5_2_00418C99
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_008842D0 push 54850227h; ret 5_2_00884329
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_0087E4B2 push edi; iretd 5_2_0087E4B3
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_00882403 push cs; ret 5_2_0088241F
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeFile created: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeFile created: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dllJump to dropped file

      Boot Survival

      barindex
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders StartupJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe TID: 6072Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe TID: 6128Thread sleep time: -50000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe TID: 6124Thread sleep time: -360000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe TID: 6132Thread sleep time: -1800000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe TID: 6072Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeThread delayed: delay time: 180000Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeThread delayed: delay time: 360000Jump to behavior
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeAPI coverage: 4.4 %
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeAPI coverage: 4.7 %
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,0_2_00405400
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00420BA6 FindFirstFileExW,0_2_00420BA6
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_00420BA6 FindFirstFileExW,5_2_00420BA6
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeThread delayed: delay time: 30000Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeThread delayed: delay time: 50000Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeThread delayed: delay time: 180000Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeThread delayed: delay time: 360000Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeThread delayed: delay time: 30000Jump to behavior
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00418A67
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_004037D0 DeleteObject,GetUserNameW,GetUserNameW,GetProcessHeap,GetProcessHeap,HeapAlloc,GetUserNameW,LookupAccountNameW,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,LookupAccountNameW,ConvertSidToStringSidW,LocalAlloc,GetProcessHeap,HeapFree,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,LocalFree,0_2_004037D0
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_0041B901 mov eax, dword ptr fs:[00000030h]0_2_0041B901
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_0041DF02 mov eax, dword ptr fs:[00000030h]0_2_0041DF02
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_021B092B mov eax, dword ptr fs:[00000030h]0_2_021B092B
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_021CE169 mov eax, dword ptr fs:[00000030h]0_2_021CE169
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_0041B901 mov eax, dword ptr fs:[00000030h]5_2_0041B901
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_0041DF02 mov eax, dword ptr fs:[00000030h]5_2_0041DF02
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_0087EB1B push dword ptr fs:[00000030h]5_2_0087EB1B
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00418163
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00418A67
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041CA80
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00418BCC SetUnhandledExceptionFilter,0_2_00418BCC
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_021C83CA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_021C83CA
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_00418163 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00418163
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_00418A67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00418A67
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_0041CA80 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0041CA80
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeCode function: 5_2_00418BCC SetUnhandledExceptionFilter,5_2_00418BCC

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 31.41.244.15 80Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.168.2.5 80Jump to behavior
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00403F40 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,VirtualFree,0_2_00403F40
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00404350 ShellExecuteA,0_2_00404350
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeProcess created: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /FJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, MainJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\853321935212 VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00418887 cpuid 0_2_00418887
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00418CA1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00418CA1
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00424BC4 _free,_free,_free,GetTimeZoneInformation,_free,0_2_00424BC4
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_00405400 GetVersionExW,GetModuleHandleA,GetProcAddress,GetSystemInfo,0_2_00405400
      Source: C:\Users\user\Desktop\7cduUYXDtl.exeCode function: 0_2_0040CBD0 GetUserNameA,SetCurrentDirectoryA,GetFileAttributesA,RtlAllocateHeap,CreateDirectoryA,GetFileAttributesA,GetModuleFileNameA,SetCurrentDirectoryA,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,0_2_0040CBD0

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, type: DROPPED
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, type: DROPPED
      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\SessionsJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1
      Scheduled Task/Job
      1
      Scheduled Task/Job
      1
      Exploitation for Privilege Escalation
      1
      Deobfuscate/Decode Files or Information
      1
      OS Credential Dumping
      2
      System Time Discovery
      Remote Services1
      Archive Collected Data
      Exfiltration Over Other Network Medium1
      Ingress Tool Transfer
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder
      211
      Process Injection
      2
      Obfuscated Files or Information
      2
      Credentials in Registry
      1
      Account Discovery
      Remote Desktop Protocol1
      Data from Local System
      Exfiltration Over Bluetooth1
      Encrypted Channel
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)1
      Scheduled Task/Job
      2
      Software Packing
      1
      Credentials In Files
      2
      File and Directory Discovery
      SMB/Windows Admin Shares1
      Screen Capture
      Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)1
      Registry Run Keys / Startup Folder
      1
      Masquerading
      NTDS24
      System Information Discovery
      Distributed Component Object Model1
      Email Collection
      Scheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
      Virtualization/Sandbox Evasion
      LSA Secrets12
      Security Software Discovery
      SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.common211
      Process Injection
      Cached Domain Credentials21
      Virtualization/Sandbox Evasion
      VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup Items1
      Rundll32
      DCSync1
      Process Discovery
      Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
      System Owner/User Discovery
      Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 741320 Sample: 7cduUYXDtl.exe Startdate: 08/11/2022 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for dropped file 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 3 other signatures 2->49 8 7cduUYXDtl.exe 4 2->8         started        12 rovwer.exe 2->12         started        14 rovwer.exe 2->14         started        16 2 other processes 2->16 process3 file4 35 C:\Users\user\AppData\Local\...\rovwer.exe, PE32 8->35 dropped 37 C:\Users\user\...\rovwer.exe:Zone.Identifier, ASCII 8->37 dropped 67 Detected unpacking (changes PE section rights) 8->67 69 Detected unpacking (overwrites its own PE header) 8->69 71 Contains functionality to inject code into remote processes 8->71 18 rovwer.exe 18 8->18         started        signatures5 process6 dnsIp7 39 31.41.244.15 AEROEXPRESS-ASRU Russian Federation 18->39 31 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32 18->31 dropped 33 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32 18->33 dropped 51 Multi AV Scanner detection for dropped file 18->51 53 Detected unpacking (changes PE section rights) 18->53 55 Detected unpacking (overwrites its own PE header) 18->55 57 3 other signatures 18->57 23 rundll32.exe 18->23         started        27 schtasks.exe 1 18->27         started        file8 signatures9 process10 dnsIp11 41 192.168.2.5 unknown unknown 23->41 59 System process connects to network (likely due to code injection or exploit) 23->59 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->61 63 Tries to steal Instant Messenger accounts or passwords 23->63 65 2 other signatures 23->65 29 conhost.exe 27->29         started        signatures12 process13

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      7cduUYXDtl.exe33%ReversingLabsWin32.Downloader.Deyma
      7cduUYXDtl.exe31%VirustotalBrowse
      7cduUYXDtl.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll100%AviraHEUR/AGEN.1233121
      C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll100%AviraHEUR/AGEN.1233121
      C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll88%ReversingLabsWin32.Infostealer.Decred
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll85%VirustotalBrowse
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll73%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe33%ReversingLabsWin32.Downloader.Deyma
      C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe31%VirustotalBrowse
      C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll88%ReversingLabsWin32.Infostealer.Decred
      C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll85%VirustotalBrowse
      C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll73%MetadefenderBrowse
      No Antivirus matches
      No Antivirus matches
      No Antivirus matches
      No contacted domains info
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      31.41.244.15
      unknownRussian Federation
      61974AEROEXPRESS-ASRUtrue
      IP
      192.168.2.5
      Joe Sandbox Version:36.0.0 Rainbow Opal
      Analysis ID:741320
      Start date and time:2022-11-08 22:08:50 +01:00
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 11m 33s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:7cduUYXDtl.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:12
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.phis.spyw.evad.winEXE@12/5@0/2
      EGA Information:
      • Successful, ratio: 66.7%
      HDC Information:Failed
      HCA Information:
      • Successful, ratio: 95%
      • Number of executed functions: 26
      • Number of non-executed functions: 109
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240s for rundll32
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
      • Not all processes where analyzed, report is missing behavior information
      • Report creation exceeded maximum time and may have missing disassembly code information.
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtDeviceIoControlFile calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.
      TimeTypeDescription
      22:09:53API Interceptor2569x Sleep call for process: rovwer.exe modified
      22:09:56Task SchedulerRun new task: rovwer.exe path: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      31.41.244.157ZSVh1b31u.dllGet hashmaliciousBrowse
      • 31.41.244.15/Mb1sDv3/index.php
      7ZSVh1b31u.dllGet hashmaliciousBrowse
      • 31.41.244.15/Mb1sDv3/index.php
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      AEROEXPRESS-ASRU5SeusTm9PP.exeGet hashmaliciousBrowse
      • 31.41.244.60
      Hz47QoWpbQ.exeGet hashmaliciousBrowse
      • 31.41.244.15
      file.exeGet hashmaliciousBrowse
      • 31.41.244.15
      e0dObe3eM5.exeGet hashmaliciousBrowse
      • 31.41.244.15
      Yz6YgTF176.exeGet hashmaliciousBrowse
      • 31.41.244.15
      E4DwsGOz55.exeGet hashmaliciousBrowse
      • 31.41.244.15
      eveTY9PQSn.exeGet hashmaliciousBrowse
      • 31.41.244.15
      file.exeGet hashmaliciousBrowse
      • 31.41.244.15
      tNID7H5KEX.exeGet hashmaliciousBrowse
      • 31.41.244.152
      vmBqMjIDpo.exeGet hashmaliciousBrowse
      • 31.41.244.15
      file.exeGet hashmaliciousBrowse
      • 31.41.244.15
      file.exeGet hashmaliciousBrowse
      • 31.41.244.15
      UN2Rniz3fX.exeGet hashmaliciousBrowse
      • 31.41.244.15
      file.exeGet hashmaliciousBrowse
      • 31.41.244.15
      Aqv8EIlBSv.exeGet hashmaliciousBrowse
      • 31.41.244.15
      SecuriteInfo.com.Win32.Evo-gen.5319.28457.exeGet hashmaliciousBrowse
      • 31.41.244.15
      Rk3ESqz3hB.exeGet hashmaliciousBrowse
      • 31.41.244.15
      PC5YUEww4R.exeGet hashmaliciousBrowse
      • 31.41.244.15
      10Mmtni5Ix.exeGet hashmaliciousBrowse
      • 31.41.244.15
      5O7C2l2wpv.exeGet hashmaliciousBrowse
      • 31.41.244.15
      No context
      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dllHz47QoWpbQ.exeGet hashmaliciousBrowse
        file.exeGet hashmaliciousBrowse
          file.exeGet hashmaliciousBrowse
            FU6NClCGZ6.exeGet hashmaliciousBrowse
              36a0e4825153e93f6d7f87a37aac9cbf9f1a5cac5c832.exeGet hashmaliciousBrowse
                e0dObe3eM5.exeGet hashmaliciousBrowse
                  Yz6YgTF176.exeGet hashmaliciousBrowse
                    E4DwsGOz55.exeGet hashmaliciousBrowse
                      eveTY9PQSn.exeGet hashmaliciousBrowse
                        5V8AcHizAb.exeGet hashmaliciousBrowse
                          file.exeGet hashmaliciousBrowse
                            file.exeGet hashmaliciousBrowse
                              0IuMP4sNBR.exeGet hashmaliciousBrowse
                                vmBqMjIDpo.exeGet hashmaliciousBrowse
                                  file.exeGet hashmaliciousBrowse
                                    file.exeGet hashmaliciousBrowse
                                      BFj8w9pt0x.exeGet hashmaliciousBrowse
                                        PThVjP3LMr.exeGet hashmaliciousBrowse
                                          UN2Rniz3fX.exeGet hashmaliciousBrowse
                                            file.exeGet hashmaliciousBrowse
                                              Process:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):129024
                                              Entropy (8bit):6.511772093814294
                                              Encrypted:false
                                              SSDEEP:3072:ox7pOYzBekEmWDWCMq6As523HeS9FAiZ87vO2rlL3Rnu9:ox7ZNhE/dMq6AO0a7vVlT
                                              MD5:522ADAD0782501491314A78C7F32006B
                                              SHA1:E487EDCEEEF3A41E2A8EEA1E684BCBC3B39ADB97
                                              SHA-256:351FD9B73FA0CBBDFBCE0793CA41544F5191650D79317A34024F3C09F73AC9BA
                                              SHA-512:5F8A103DEEA3ED5F8641D1F4C91A4F891A8208B679CADBFAC4A068AFBAD0D2F777CD29ACE4BDFEC590E722435473E4F8465FB80D5CDA792DC0236646580101A7
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, Author: Joe Security
                                              • Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\cred64[1].dll, Author: ditekSHen
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 88%
                                              • Antivirus: Virustotal, Detection: 85%, Browse
                                              • Antivirus: Metadefender, Detection: 73%, Browse
                                              Joe Sandbox View:
                                              • Filename: Hz47QoWpbQ.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: FU6NClCGZ6.exe, Detection: malicious, Browse
                                              • Filename: 36a0e4825153e93f6d7f87a37aac9cbf9f1a5cac5c832.exe, Detection: malicious, Browse
                                              • Filename: e0dObe3eM5.exe, Detection: malicious, Browse
                                              • Filename: Yz6YgTF176.exe, Detection: malicious, Browse
                                              • Filename: E4DwsGOz55.exe, Detection: malicious, Browse
                                              • Filename: eveTY9PQSn.exe, Detection: malicious, Browse
                                              • Filename: 5V8AcHizAb.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: 0IuMP4sNBR.exe, Detection: malicious, Browse
                                              • Filename: vmBqMjIDpo.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              • Filename: BFj8w9pt0x.exe, Detection: malicious, Browse
                                              • Filename: PThVjP3LMr.exe, Detection: malicious, Browse
                                              • Filename: UN2Rniz3fX.exe, Detection: malicious, Browse
                                              • Filename: file.exe, Detection: malicious, Browse
                                              Reputation:moderate, very likely benign file
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......x.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................
                                              Process:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                              Category:dropped
                                              Size (bytes):84204
                                              Entropy (8bit):7.897952942528722
                                              Encrypted:false
                                              SSDEEP:1536:CM5PR/yveXYRZ3BPhuZz+dnTh30h6Qe01tBbdMn9ODwC1rF6FQz:V/ueoRy+dnV0fbtbkL+rH
                                              MD5:5867ABCBA7E32B56C46EED9CBDD7BD7C
                                              SHA1:E9B3727E93F41DA41A611A1555975123DBDDD24A
                                              SHA-256:0950A3A7AF3DE357AA21D31F3DA43B585CC7DE6CBDA109EB41F7A5C1D40CBA5A
                                              SHA-512:D90D891316EDE8BCED4EEE9796FB92F9226A3AC4AD76D1C2E827BC21DEC885686860D6156FA59A84A4E0C8071CDB6596A72523CBB59E69A825AF30DF3F537A0E
                                              Malicious:false
                                              Reputation:low
                                              Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(..Y.)....\..._.|.'..wy.....h..S'.8.gc.k...S~.............?.M....?.7?...Y.x.{&|.E{....B.......~..
                                              Process:C:\Users\user\Desktop\7cduUYXDtl.exe
                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):227840
                                              Entropy (8bit):7.314337555799433
                                              Encrypted:false
                                              SSDEEP:6144:qLzJx2ryTayck4ZWB80CFowVshPZmiCgL:q3Jx2ryeycn0B119hPZm
                                              MD5:DB9B9AFC1D0A9E384A46FC36B018E605
                                              SHA1:C8E97DB53C615BBFDB3C6C412A9D84F66CF22C53
                                              SHA-256:FD2FEF13A5977859CD31B711618355EABA32082E0863A7E7B2770AFFF8D7A1FB
                                              SHA-512:767D1ABE7E86FDCCFE673559AAB2FF17065DB4C3416420FF86205F87F8D67FFC66121537306517F21566DBD65B125E6C707DBA3D75206E1834D27071FB905BC7
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 33%
                                              • Antivirus: Virustotal, Detection: 31%, Browse
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4.4.U.g.U.g.U.g..xg.U.g..ng.U.g...g.U.g.U.gLU.g..ig.U.g..yg.U.g..|g.U.gRich.U.g................PE..L....n.`.................8...........d.......P....@..........................0..............................................,:..P........;..........................p...............................P...@............................................text...T6.......8.................. ..`.data........P.......<..............@....rsrc....;.......<...>..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................
                                              Process:C:\Users\user\Desktop\7cduUYXDtl.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:modified
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0
                                              Process:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):129024
                                              Entropy (8bit):6.511772093814294
                                              Encrypted:false
                                              SSDEEP:3072:ox7pOYzBekEmWDWCMq6As523HeS9FAiZ87vO2rlL3Rnu9:ox7ZNhE/dMq6AO0a7vVlT
                                              MD5:522ADAD0782501491314A78C7F32006B
                                              SHA1:E487EDCEEEF3A41E2A8EEA1E684BCBC3B39ADB97
                                              SHA-256:351FD9B73FA0CBBDFBCE0793CA41544F5191650D79317A34024F3C09F73AC9BA
                                              SHA-512:5F8A103DEEA3ED5F8641D1F4C91A4F891A8208B679CADBFAC4A068AFBAD0D2F777CD29ACE4BDFEC590E722435473E4F8465FB80D5CDA792DC0236646580101A7
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, Author: Joe Security
                                              • Rule: INDICATOR_TOOL_PWS_Amady, Description: Detects password stealer DLL. Dropped by Amadey, Source: C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, Author: ditekSHen
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 88%
                                              • Antivirus: Virustotal, Detection: 85%, Browse
                                              • Antivirus: Metadefender, Detection: 73%, Browse
                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................X......x.............@..........................@..........................................O.......&.... ..............................................................................................................CODE................................ ..`DATA................................@...BSS......................................idata..&...........................@....edata..O...........................@..P.reloc..............................@..P.rsrc........ ......................@..P.............@......................@..P................................................................................................................................................................................
                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                              Entropy (8bit):7.314337555799433
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:7cduUYXDtl.exe
                                              File size:227840
                                              MD5:db9b9afc1d0a9e384a46fc36b018e605
                                              SHA1:c8e97db53c615bbfdb3c6c412a9d84f66cf22c53
                                              SHA256:fd2fef13a5977859cd31b711618355eaba32082e0863a7e7b2770afff8d7a1fb
                                              SHA512:767d1abe7e86fdccfe673559aab2ff17065db4c3416420ff86205f87f8d67ffc66121537306517f21566dbd65b125e6c707dba3d75206e1834d27071fb905bc7
                                              SSDEEP:6144:qLzJx2ryTayck4ZWB80CFowVshPZmiCgL:q3Jx2ryeycn0B119hPZm
                                              TLSH:DA24F1227A90C433C3631A705869C3E5A77EBA7159F99A8777580B3D5F302D26A37307
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........4.4.U.g.U.g.U.g..xg.U.g..ng.U.g...g.U.g.U.gLU.g..ig.U.g..yg.U.g..|g.U.gRich.U.g................PE..L....n.`.................8.
                                              Icon Hash:c8d0d8e0f0e0e4e8
                                              Entrypoint:0x406406
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:TERMINAL_SERVER_AWARE
                                              Time Stamp:0x60F16EC9 [Fri Jul 16 11:34:33 2021 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:5
                                              OS Version Minor:0
                                              File Version Major:5
                                              File Version Minor:0
                                              Subsystem Version Major:5
                                              Subsystem Version Minor:0
                                              Import Hash:3587bc86d8ee27a5cdc406b441581e5c
                                              Instruction
                                              call 00007F37F8C7B6FCh
                                              jmp 00007F37F8C7508Eh
                                              mov ecx, dword ptr [esp+04h]
                                              test ecx, 00000003h
                                              je 00007F37F8C75236h
                                              mov al, byte ptr [ecx]
                                              add ecx, 01h
                                              test al, al
                                              je 00007F37F8C75260h
                                              test ecx, 00000003h
                                              jne 00007F37F8C75201h
                                              add eax, 00000000h
                                              lea esp, dword ptr [esp+00000000h]
                                              lea esp, dword ptr [esp+00000000h]
                                              mov eax, dword ptr [ecx]
                                              mov edx, 7EFEFEFFh
                                              add edx, eax
                                              xor eax, FFFFFFFFh
                                              xor eax, edx
                                              add ecx, 04h
                                              test eax, 81010100h
                                              je 00007F37F8C751FAh
                                              mov eax, dword ptr [ecx-04h]
                                              test al, al
                                              je 00007F37F8C75244h
                                              test ah, ah
                                              je 00007F37F8C75236h
                                              test eax, 00FF0000h
                                              je 00007F37F8C75225h
                                              test eax, FF000000h
                                              je 00007F37F8C75214h
                                              jmp 00007F37F8C751DFh
                                              lea eax, dword ptr [ecx-01h]
                                              mov ecx, dword ptr [esp+04h]
                                              sub eax, ecx
                                              ret
                                              lea eax, dword ptr [ecx-02h]
                                              mov ecx, dword ptr [esp+04h]
                                              sub eax, ecx
                                              ret
                                              lea eax, dword ptr [ecx-03h]
                                              mov ecx, dword ptr [esp+04h]
                                              sub eax, ecx
                                              ret
                                              lea eax, dword ptr [ecx-04h]
                                              mov ecx, dword ptr [esp+04h]
                                              sub eax, ecx
                                              ret
                                              mov edi, edi
                                              push ebp
                                              mov ebp, esp
                                              mov eax, dword ptr [ebp+14h]
                                              push esi
                                              push edi
                                              xor edi, edi
                                              cmp eax, edi
                                              je 00007F37F8C75259h
                                              cmp dword ptr [ebp+08h], edi
                                              jne 00007F37F8C7522Dh
                                              call 00007F37F8C75E14h
                                              push 00000016h
                                              pop esi
                                              mov dword ptr [eax], esi
                                              push edi
                                              push edi
                                              push edi
                                              push edi
                                              push edi
                                              call 00007F37F8C75D9Dh
                                              add esp, 14h
                                              mov eax, esi
                                              jmp 00007F37F8C7523Bh
                                              cmp dword ptr [ebp+10h], edi
                                              Programming Language:
                                              • [ASM] VS2008 build 21022
                                              • [ C ] VS2008 build 21022
                                              • [IMP] VS2005 build 50727
                                              • [C++] VS2008 build 21022
                                              • [RES] VS2008 build 21022
                                              • [LNK] VS2008 build 21022
                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x13a2c0x50.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x18f0000x3b80.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x12700x1c.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2e500x40.text
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x10000x214.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x136540x13800False0.5090269431089743data6.1006359701402815IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .data0x150000x17939c0x20200False0.9441953428988327data7.847490882724738IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                              .rsrc0x18f0000x3b800x3c00False0.6152994791666667data5.552803096579343IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              NameRVASizeTypeLanguageCountry
                                              AFX_DIALOG_LAYOUT0x1920d00x2data
                                              AFX_DIALOG_LAYOUT0x1920c80x2data
                                              AFX_DIALOG_LAYOUT0x1920d80x2data
                                              AFX_DIALOG_LAYOUT0x1920e00x2data
                                              AFX_DIALOG_LAYOUT0x1920e80x2data
                                              RT_ICON0x18f5000x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0RomanianRomania
                                              RT_ICON0x18fbc80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0RomanianRomania
                                              RT_ICON0x1901300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0RomanianRomania
                                              RT_ICON0x1911d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0RomanianRomania
                                              RT_ICON0x191b600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0RomanianRomania
                                              RT_STRING0x1922400x334dataRomanianRomania
                                              RT_STRING0x1925780x210dataRomanianRomania
                                              RT_STRING0x1927880x244dataRomanianRomania
                                              RT_STRING0x1929d00x1aedataRomanianRomania
                                              RT_ACCELERATOR0x1920180x60dataRomanianRomania
                                              RT_GROUP_ICON0x191fc80x4cdataRomanianRomania
                                              RT_VERSION0x1920f00x14cIntel 80386 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                                              None0x1920880xadataRomanianRomania
                                              None0x1920980xadataRomanianRomania
                                              None0x1920780xadataRomanianRomania
                                              None0x1920a80xadataRomanianRomania
                                              None0x1920b80xadataRomanianRomania
                                              DLLImport
                                              KERNEL32.dllLoadLibraryW, GetVolumeInformationA, SetComputerNameA, LocalFlags, InterlockedDecrement, GetTickCount, SearchPathA, GetConsoleAliasExesLengthW, EnumSystemCodePagesW, LocalFree, FindNextFileW, TlsSetValue, CopyFileExW, MoveFileWithProgressW, SetVolumeLabelW, GetProfileSectionA, VerifyVersionInfoA, QueryDosDeviceW, LocalReAlloc, DosDateTimeToFileTime, VirtualQuery, WaitForDebugEvent, GlobalGetAtomNameW, MapViewOfFile, GetWindowsDirectoryA, GetModuleHandleW, VirtualProtect, FindNextVolumeMountPointW, IsBadWritePtr, DeleteAtom, LoadResource, WriteConsoleInputW, CopyFileA, CancelWaitableTimer, LocalAlloc, FindResourceW, OpenEventA, GetThreadPriority, CallNamedPipeA, GetProcAddress, GetModuleHandleA, GetConsoleAliasesLengthW, OpenFileMappingW, GetSystemWindowsDirectoryA, GetOEMCP, GetMailslotInfo, GetConsoleAliasA, GetFileInformationByHandle, GetDiskFreeSpaceExA, DefineDosDeviceA, GetCPInfo, GetProcessAffinityMask, GlobalFindAtomA, WriteConsoleA, ReleaseActCtx, FindNextVolumeW, LoadLibraryA, LeaveCriticalSection, GetComputerNameW, MoveFileA, InitializeCriticalSection, GetPrivateProfileStructA, InterlockedCompareExchange, InterlockedIncrement, EnumCalendarInfoA, InterlockedExchange, GetNamedPipeHandleStateA, SetFileApisToANSI, SetFileTime, CreateFileA, CloseHandle, Sleep, DeleteCriticalSection, EnterCriticalSection, RaiseException, RtlUnwind, GetLastError, HeapReAlloc, HeapAlloc, HeapFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileA, GetStartupInfoW, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, TlsGetValue, TlsAlloc, TlsFree, SetLastError, GetCurrentThreadId, HeapCreate, VirtualFree, VirtualAlloc, HeapSize, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, GetStartupInfoA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetACP, IsValidCodePage, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, InitializeCriticalSectionAndSpinCount, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, LCMapStringA, LCMapStringW, FlushFileBuffers, SetStdHandle, GetConsoleOutputCP, WriteConsoleW, ReadFile
                                              USER32.dllGetAltTabInfoW
                                              WINHTTP.dllWinHttpWriteData
                                              Language of compilation systemCountry where language is spokenMap
                                              RomanianRomania
                                              No network behavior found

                                              Click to jump to process

                                              Click to jump to process

                                              Click to dive into process behavior distribution

                                              Click to jump to process

                                              Target ID:0
                                              Start time:22:09:48
                                              Start date:08/11/2022
                                              Path:C:\Users\user\Desktop\7cduUYXDtl.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\Desktop\7cduUYXDtl.exe
                                              Imagebase:0x400000
                                              File size:227840 bytes
                                              MD5 hash:DB9B9AFC1D0A9E384A46FC36B018E605
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.310156082.00000000005B9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              Target ID:1
                                              Start time:22:09:51
                                              Start date:08/11/2022
                                              Path:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe"
                                              Imagebase:0x400000
                                              File size:227840 bytes
                                              MD5 hash:DB9B9AFC1D0A9E384A46FC36B018E605
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 33%, ReversingLabs
                                              • Detection: 31%, Virustotal, Browse
                                              Reputation:low

                                              Target ID:2
                                              Start time:22:09:53
                                              Start date:08/11/2022
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe" /F
                                              Imagebase:0x390000
                                              File size:185856 bytes
                                              MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Target ID:3
                                              Start time:22:09:54
                                              Start date:08/11/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7fcd70000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Target ID:4
                                              Start time:22:09:55
                                              Start date:08/11/2022
                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\80b59841e5c623\cred64.dll, Main
                                              Imagebase:0x2c0000
                                              File size:61952 bytes
                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:Borland Delphi
                                              Reputation:high

                                              Target ID:5
                                              Start time:22:09:56
                                              Start date:08/11/2022
                                              Path:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Imagebase:0x400000
                                              File size:227840 bytes
                                              MD5 hash:DB9B9AFC1D0A9E384A46FC36B018E605
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.347151025.000000000087E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.346989915.0000000000700000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              Target ID:8
                                              Start time:22:11:00
                                              Start date:08/11/2022
                                              Path:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Imagebase:0x400000
                                              File size:227840 bytes
                                              MD5 hash:DB9B9AFC1D0A9E384A46FC36B018E605
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.469752989.000000000073E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.470449059.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              Target ID:10
                                              Start time:22:12:00
                                              Start date:08/11/2022
                                              Path:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Imagebase:0x400000
                                              File size:227840 bytes
                                              MD5 hash:DB9B9AFC1D0A9E384A46FC36B018E605
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000A.00000002.596366750.000000000064F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000A.00000002.596718796.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              Target ID:11
                                              Start time:22:13:00
                                              Start date:08/11/2022
                                              Path:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                              Imagebase:0x400000
                                              File size:227840 bytes
                                              MD5 hash:DB9B9AFC1D0A9E384A46FC36B018E605
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.728180420.000000000072E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.728483158.00000000021C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                              Reputation:low

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:2.2%
                                                Dynamic/Decrypted Code Coverage:5.2%
                                                Signature Coverage:4.2%
                                                Total number of Nodes:308
                                                Total number of Limit Nodes:10
                                                execution_graph 21931 405860 21932 405866 21931->21932 21938 41bacc 21932->21938 21934 405886 21937 405880 21942 41ba15 21938->21942 21941 41bb5a 67 API calls 4 library calls 21941->21937 21944 41ba21 ___scrt_is_nonwritable_in_current_image 21942->21944 21943 41ba28 21967 41c750 14 API calls __dosmaperr 21943->21967 21944->21943 21946 41ba48 21944->21946 21949 41ba5a 21946->21949 21950 41ba4d 21946->21950 21947 41ba2d 21968 41cc2c 25 API calls __wsopen_s 21947->21968 21959 41e06f 21949->21959 21969 41c750 14 API calls __dosmaperr 21950->21969 21951 405873 21951->21934 21951->21941 21955 41ba77 21971 41bab5 LeaveCriticalSection ___scrt_uninitialize_crt 21955->21971 21956 41ba6a 21970 41c750 14 API calls __dosmaperr 21956->21970 21960 41e07b ___scrt_is_nonwritable_in_current_image 21959->21960 21972 41dea3 EnterCriticalSection 21960->21972 21962 41e089 21973 41e113 21962->21973 21967->21947 21968->21951 21969->21951 21970->21951 21971->21951 21972->21962 21982 41e136 21973->21982 21974 41e18e 21992 420873 14 API calls __dosmaperr 21974->21992 21976 41e197 21993 41e5a1 14 API calls __dosmaperr 21976->21993 21979 41e1a0 21981 41e096 21979->21981 21994 41f451 6 API calls __dosmaperr 21979->21994 21987 41e0cf 21981->21987 21982->21974 21982->21981 21990 41e047 EnterCriticalSection 21982->21990 21991 41e05b LeaveCriticalSection 21982->21991 21983 41e1bf 21995 41e047 EnterCriticalSection 21983->21995 21986 41e1d2 21986->21981 21996 41deeb LeaveCriticalSection 21987->21996 21989 41ba63 21989->21955 21989->21956 21990->21982 21991->21982 21992->21976 21993->21979 21994->21983 21995->21986 21996->21989 21997 21b092b GetPEB 21998 21b0972 21997->21998 21999 21b003c 22000 21b0049 21999->22000 22013 21b0e0f SetErrorMode SetErrorMode 22000->22013 22002 21b0223 22003 21b0238 VirtualAlloc 22002->22003 22004 21b0265 22003->22004 22005 21b02ce VirtualProtect 22004->22005 22007 21b030b 22005->22007 22006 21b0439 VirtualFree 22011 21b05f4 LoadLibraryA 22006->22011 22012 21b04be 22006->22012 22007->22006 22008 21b04e3 LoadLibraryA 22008->22012 22010 21b08c7 22011->22010 22012->22008 22012->22011 22014 21b0e26 22013->22014 22014->22002 22015 41e3ff 22020 41e1d5 22015->22020 22018 41e43e 22021 41e1f4 22020->22021 22022 41e207 22021->22022 22030 41e21c 22021->22030 22040 41c750 14 API calls __dosmaperr 22022->22040 22024 41e20c 22041 41cc2c 25 API calls __wsopen_s 22024->22041 22026 41e217 22026->22018 22037 4235dd 22026->22037 22028 41e3ed 22046 41cc2c 25 API calls __wsopen_s 22028->22046 22035 41e33c 22030->22035 22042 422e6c 37 API calls 2 library calls 22030->22042 22032 41e38c 22032->22035 22043 422e6c 37 API calls 2 library calls 22032->22043 22034 41e3aa 22034->22035 22044 422e6c 37 API calls 2 library calls 22034->22044 22035->22026 22045 41c750 14 API calls __dosmaperr 22035->22045 22047 422fa2 22037->22047 22040->22024 22041->22026 22042->22032 22043->22034 22044->22035 22045->22028 22046->22026 22050 422fae ___scrt_is_nonwritable_in_current_image 22047->22050 22048 422fb5 22067 41c750 14 API calls __dosmaperr 22048->22067 22050->22048 22052 422fe0 22050->22052 22051 422fba 22068 41cc2c 25 API calls __wsopen_s 22051->22068 22058 42356f 22052->22058 22057 422fc4 22057->22018 22070 41bd30 22058->22070 22063 4235a5 22065 423004 22063->22065 22125 41e5a1 14 API calls __dosmaperr 22063->22125 22069 423037 LeaveCriticalSection __wsopen_s 22065->22069 22067->22051 22068->22057 22069->22057 22126 41bcad 22070->22126 22073 41bd54 22075 41bc90 22073->22075 22138 41bbde 22075->22138 22078 4235fd 22163 42334b 22078->22163 22081 423648 22181 41feca 22081->22181 22082 42362f 22195 41c73d 14 API calls __dosmaperr 22082->22195 22086 423656 22197 41c73d 14 API calls __dosmaperr 22086->22197 22087 42366d 22194 4232b6 CreateFileW 22087->22194 22091 42365b 22198 41c750 14 API calls __dosmaperr 22091->22198 22092 423723 GetFileType 22098 423775 22092->22098 22099 42372e GetLastError 22092->22099 22093 423641 22093->22063 22095 423634 22196 41c750 14 API calls __dosmaperr 22095->22196 22096 4236a6 22096->22092 22097 4236f8 GetLastError 22096->22097 22199 4232b6 CreateFileW 22096->22199 22200 41c71a 14 API calls __dosmaperr 22097->22200 22203 41fe15 15 API calls 2 library calls 22098->22203 22201 41c71a 14 API calls __dosmaperr 22099->22201 22103 42373c CloseHandle 22103->22095 22104 423765 22103->22104 22202 41c750 14 API calls __dosmaperr 22104->22202 22106 4236eb 22106->22092 22106->22097 22108 423796 22110 4237e2 22108->22110 22204 4234c5 71 API calls 2 library calls 22108->22204 22109 42376a 22109->22095 22114 4237e9 22110->22114 22206 423063 71 API calls 2 library calls 22110->22206 22113 423817 22113->22114 22115 423825 22113->22115 22205 41e6f4 28 API calls 2 library calls 22114->22205 22115->22093 22117 4238a1 CloseHandle 22115->22117 22207 4232b6 CreateFileW 22117->22207 22119 4238cc 22120 4238d6 GetLastError 22119->22120 22124 4237f0 22119->22124 22208 41c71a 14 API calls __dosmaperr 22120->22208 22122 4238e2 22209 41ffdd 15 API calls 2 library calls 22122->22209 22124->22093 22125->22065 22127 41bcc4 22126->22127 22128 41bccd 22126->22128 22127->22073 22134 41f2d6 5 API calls __wsopen_s 22127->22134 22128->22127 22135 41ee92 37 API calls 3 library calls 22128->22135 22130 41bced 22136 41f58b 37 API calls __fassign 22130->22136 22132 41bd03 22137 41f5b8 37 API calls __fassign 22132->22137 22134->22073 22135->22130 22136->22132 22137->22127 22139 41bc06 22138->22139 22140 41bbec 22138->22140 22142 41bc0d 22139->22142 22143 41bc2c 22139->22143 22156 41bd6f 14 API calls _free 22140->22156 22155 41bbf6 22142->22155 22157 41bd89 15 API calls __wsopen_s 22142->22157 22158 41ead8 MultiByteToWideChar 22143->22158 22146 41bc3b 22147 41bc42 GetLastError 22146->22147 22149 41bc68 22146->22149 22161 41bd89 15 API calls __wsopen_s 22146->22161 22159 41c71a 14 API calls __dosmaperr 22147->22159 22149->22155 22162 41ead8 MultiByteToWideChar 22149->22162 22151 41bc4e 22160 41c750 14 API calls __dosmaperr 22151->22160 22153 41bc7f 22153->22147 22153->22155 22155->22063 22155->22078 22156->22155 22157->22155 22158->22146 22159->22151 22160->22155 22161->22149 22162->22153 22164 423386 22163->22164 22165 42336c 22163->22165 22210 4232db 22164->22210 22165->22164 22217 41c750 14 API calls __dosmaperr 22165->22217 22168 42337b 22218 41cc2c 25 API calls __wsopen_s 22168->22218 22170 4233be 22171 4233ed 22170->22171 22219 41c750 14 API calls __dosmaperr 22170->22219 22176 423440 22171->22176 22221 41d9cf 25 API calls 2 library calls 22171->22221 22174 42343b 22174->22176 22177 4234b8 22174->22177 22175 4233e2 22220 41cc2c 25 API calls __wsopen_s 22175->22220 22176->22081 22176->22082 22222 41cc59 11 API calls __CreateFrameInfo 22177->22222 22180 4234c4 22182 41fed6 ___scrt_is_nonwritable_in_current_image 22181->22182 22225 41dea3 EnterCriticalSection 22182->22225 22184 41ff24 22226 41ffd4 22184->22226 22185 41ff02 22229 41fca4 15 API calls 3 library calls 22185->22229 22186 41fedd 22186->22184 22186->22185 22191 41ff71 EnterCriticalSection 22186->22191 22190 41ff07 22190->22184 22230 41fdf2 EnterCriticalSection 22190->22230 22191->22184 22192 41ff7e LeaveCriticalSection 22191->22192 22192->22186 22194->22096 22195->22095 22196->22093 22197->22091 22198->22095 22199->22106 22200->22095 22201->22103 22202->22109 22203->22108 22204->22110 22205->22124 22206->22113 22207->22119 22208->22122 22209->22124 22212 4232f3 22210->22212 22211 42330e 22211->22170 22212->22211 22223 41c750 14 API calls __dosmaperr 22212->22223 22214 423332 22224 41cc2c 25 API calls __wsopen_s 22214->22224 22216 42333d 22216->22170 22217->22168 22218->22164 22219->22175 22220->22171 22221->22174 22222->22180 22223->22214 22224->22216 22225->22186 22231 41deeb LeaveCriticalSection 22226->22231 22228 41ff44 22228->22086 22228->22087 22229->22190 22230->22184 22231->22228 22232 4186de 22233 4186ea ___scrt_is_nonwritable_in_current_image 22232->22233 22258 418404 22233->22258 22235 4186f1 22236 41884a 22235->22236 22245 41871b ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 22235->22245 22288 418a67 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 22236->22288 22238 418851 22281 41b9ff 22238->22281 22242 41885f 22243 41873a 22244 4187bb 22266 41d42b 22244->22266 22245->22243 22245->22244 22284 41b9d9 37 API calls 5 library calls 22245->22284 22248 4187c1 22270 416830 22248->22270 22259 41840d 22258->22259 22290 418887 IsProcessorFeaturePresent 22259->22290 22261 418419 22291 419450 10 API calls 2 library calls 22261->22291 22263 41841e 22264 418422 22263->22264 22292 41946f 7 API calls 2 library calls 22263->22292 22264->22235 22267 41d434 22266->22267 22268 41d439 22266->22268 22293 41d18f 22267->22293 22268->22248 22271 40b2a0 22270->22271 22272 41683e 22271->22272 22349 406510 28 API calls __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 22272->22349 22274 416861 22350 4138b0 100 API calls __ehhandler$?PrimaryInvocation@UMSFreeVirtualProcessorRoot@details@Concurrency@@CGXW4_RTL_UMS_SCHEDULER_REASON@@KPAX@Z 22274->22350 22276 41686e 22351 4167e0 CreateThread CreateThread CreateThread Sleep 22276->22351 22352 41b89d 22281->22352 22284->22244 22288->22238 22289 41b9c3 23 API calls __CreateFrameInfo 22289->22242 22290->22261 22291->22263 22292->22264 22294 41d198 22293->22294 22297 41d1ae 22293->22297 22294->22297 22299 41d1bb 22294->22299 22296 41d1a5 22296->22297 22312 41d30d 15 API calls 3 library calls 22296->22312 22297->22268 22300 41d1c4 22299->22300 22301 41d1c7 22299->22301 22300->22296 22313 421602 22301->22313 22306 41d1d9 22333 41e5a1 14 API calls __dosmaperr 22306->22333 22308 41d1e4 22332 41e5a1 14 API calls __dosmaperr 22308->22332 22310 41d208 22310->22296 22312->22297 22314 41d1ce 22313->22314 22315 42160b 22313->22315 22319 4219a3 GetEnvironmentStringsW 22314->22319 22334 41ef4f 37 API calls 3 library calls 22315->22334 22317 42162e 22335 421449 47 API calls 4 library calls 22317->22335 22320 421a10 22319->22320 22321 4219ba 22319->22321 22322 41d1d3 22320->22322 22323 421a19 FreeEnvironmentStringsW 22320->22323 22336 4218bf 22321->22336 22322->22306 22331 41d20e 25 API calls 4 library calls 22322->22331 22323->22322 22325 4219d3 22325->22320 22339 41ea8a 22325->22339 22328 4219fb 22346 41e5a1 14 API calls __dosmaperr 22328->22346 22329 4218bf __wsopen_s WideCharToMultiByte 22329->22328 22331->22308 22332->22306 22333->22310 22334->22317 22335->22314 22338 4218d8 WideCharToMultiByte 22336->22338 22338->22325 22340 41eac8 22339->22340 22344 41ea98 __dosmaperr 22339->22344 22348 41c750 14 API calls __dosmaperr 22340->22348 22341 41eab3 RtlAllocateHeap 22343 41eac6 22341->22343 22341->22344 22343->22328 22343->22329 22344->22340 22344->22341 22347 41cca7 EnterCriticalSection LeaveCriticalSection __dosmaperr 22344->22347 22346->22320 22347->22344 22348->22343 22349->22274 22350->22276 22353 41b8ab 22352->22353 22354 41b8bd 22352->22354 22380 418b89 GetModuleHandleW 22353->22380 22364 41b744 22354->22364 22357 41b8b0 22357->22354 22381 41b943 GetModuleHandleExW 22357->22381 22359 418857 22359->22289 22363 41b900 22365 41b750 ___scrt_is_nonwritable_in_current_image 22364->22365 22387 41dea3 EnterCriticalSection 22365->22387 22367 41b75a 22388 41b7b0 22367->22388 22369 41b767 22392 41b785 22369->22392 22372 41b901 22397 41df02 GetPEB 22372->22397 22375 41b930 22378 41b943 __CreateFrameInfo 3 API calls 22375->22378 22376 41b910 GetPEB 22376->22375 22377 41b920 GetCurrentProcess TerminateProcess 22376->22377 22377->22375 22379 41b938 ExitProcess 22378->22379 22380->22357 22382 41b962 GetProcAddress 22381->22382 22383 41b985 22381->22383 22386 41b977 22382->22386 22384 41b8bc 22383->22384 22385 41b98b FreeLibrary 22383->22385 22384->22354 22385->22384 22386->22383 22387->22367 22389 41b7bc ___scrt_is_nonwritable_in_current_image 22388->22389 22391 41b81d __CreateFrameInfo 22389->22391 22395 41d713 14 API calls __CreateFrameInfo 22389->22395 22391->22369 22396 41deeb LeaveCriticalSection 22392->22396 22394 41b773 22394->22359 22394->22372 22395->22391 22396->22394 22398 41b90b 22397->22398 22399 41df1c 22397->22399 22398->22375 22398->22376 22401 41f296 5 API calls __dosmaperr 22399->22401 22401->22398
                                                APIs
                                                • GetUserNameA.ADVAPI32(?,?), ref: 0040CD3E
                                                • SetCurrentDirectoryA.KERNEL32(00000000,?,?), ref: 0040CD9C
                                                  • Part of subcall function 00416A90: Concurrency::cancel_current_task.LIBCPMT ref: 00416B49
                                                  • Part of subcall function 00402C70: RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,3A108541,3A108541), ref: 00402E1C
                                                  • Part of subcall function 00402C70: RegQueryValueExA.ADVAPI32(3A108541,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3A108541,3A108541), ref: 00402E4A
                                                  • Part of subcall function 00402C70: RegCloseKey.ADVAPI32(3A108541,?,?,00000000,00000001,3A108541,3A108541), ref: 00402E56
                                                  • Part of subcall function 00402C70: RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00402F63
                                                  • Part of subcall function 00402C70: RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00402F91
                                                  • Part of subcall function 00402C70: RegCloseKey.ADVAPI32(80000001), ref: 00402F9A
                                                  • Part of subcall function 004048C0: Sleep.KERNEL32(000003E8), ref: 004049A9
                                                • GetFileAttributesA.KERNEL32(00000000), ref: 0040E4F1
                                                • CreateDirectoryA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040E623
                                                • GetFileAttributesA.KERNEL32(00000000), ref: 0040E738
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0040ED75
                                                • std::_Xinvalid_argument.LIBCPMT ref: 0040F9E5
                                                  • Part of subcall function 00402C70: GdiplusStartup.GDIPLUS(?,?,00000000,3A108541), ref: 004030CA
                                                  • Part of subcall function 0040CBD0: SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040EF9C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: DirectoryFile$AttributesCloseCurrentNameOpenValue$Concurrency::cancel_current_taskCreateGdiplusModuleQuerySleepStartupUserXinvalid_argumentstd::_
                                                • String ID: "$"$%$invalid stoi argument$stoi argument out of range
                                                • API String ID: 1674928435-2043294232
                                                • Opcode ID: 15be58a0eef31b6c65ba771fdf33b6d5f965c5bcbdd72336a2d9a83a28370cc5
                                                • Instruction ID: ca7d88425734236cf169f520bb3e28de2df1445630f25be11c52c40f1bbbcbb8
                                                • Opcode Fuzzy Hash: 15be58a0eef31b6c65ba771fdf33b6d5f965c5bcbdd72336a2d9a83a28370cc5
                                                • Instruction Fuzzy Hash: 07632A71A001489BEB18DB38CD897DD7B729F86304F5082ADE409A73D6DB3D9EC48B59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1368 41b901-41b90e call 41df02 1371 41b930-41b93c call 41b943 ExitProcess 1368->1371 1372 41b910-41b91e GetPEB 1368->1372 1372->1371 1373 41b920-41b92a GetCurrentProcess TerminateProcess 1372->1373 1373->1371
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B923
                                                • TerminateProcess.KERNEL32(00000000,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B92A
                                                • ExitProcess.KERNEL32 ref: 0041B93C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
                                                • Instruction ID: c3524ad3d233ec0a3a19b1bf7aedcb75de5af13a6c7a41cb1465cf438659ca8f
                                                • Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
                                                • Instruction Fuzzy Hash: 63E0B671120208EFCB216F65DD49AA97B79FB44751BC44439FA0586231CB39EE93CB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1376 21b092b-21b0970 GetPEB 1377 21b0972-21b0978 1376->1377 1378 21b097a-21b098a call 21b0d35 1377->1378 1379 21b098c-21b098e 1377->1379 1378->1379 1385 21b0992-21b0994 1378->1385 1379->1377 1381 21b0990 1379->1381 1383 21b0996-21b0998 1381->1383 1384 21b0a3b-21b0a3e 1383->1384 1385->1383 1386 21b099d-21b09d3 1385->1386 1387 21b09dc-21b09ee call 21b0d0c 1386->1387 1390 21b09f0-21b0a3a 1387->1390 1391 21b09d5-21b09d8 1387->1391 1390->1384 1391->1387
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: .$GetProcAddress.$l
                                                • API String ID: 0-2784972518
                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                • Instruction ID: 42c187d63ad208e56e3ce7d04a141884dc5d9f54a8ed117be69e661acb09b349
                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                • Instruction Fuzzy Hash: E53148B6900609DFDB11CF99C880AEEBBF9FF4C324F15414AD845A7250D7B1EA45CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1393 404350-40448b call 416f50 ShellExecuteA 1399 4044b5-4044c6 1393->1399 1400 40448d-404499 1393->1400 1401 4044ab-4044b2 call 4185df 1400->1401 1402 40449b-4044a9 1400->1402 1401->1399 1402->1401 1403 4044c7-40453a call 41cc3c call 416a90 * 3 call 404350 1402->1403
                                                APIs
                                                • ShellExecuteA.SHELL32(00000000,00429838,?,?,00000000,00000000), ref: 004043F2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ExecuteShell
                                                • String ID: runas
                                                • API String ID: 587946157-4000483414
                                                • Opcode ID: de7bd3c214bc239fffa76e86c4219ce5be5fd2c74372350d44addfd8b94cac34
                                                • Instruction ID: 0d432a24b2a6eecf06ea0bc45d18f5c5656229febad52b915354dd5f9442050f
                                                • Opcode Fuzzy Hash: de7bd3c214bc239fffa76e86c4219ce5be5fd2c74372350d44addfd8b94cac34
                                                • Instruction Fuzzy Hash: 56411370600208EBDB04DF69C981BDE7BB9EB45344FA0822AFC15972C0C779E984CB85
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1175 4235fd-42362d call 42334b 1178 423648-423654 call 41feca 1175->1178 1179 42362f-42363a call 41c73d 1175->1179 1185 423656-42366b call 41c73d call 41c750 1178->1185 1186 42366d-4236b6 call 4232b6 1178->1186 1184 42363c-423643 call 41c750 1179->1184 1195 423922-423926 1184->1195 1185->1184 1193 423723-42372c GetFileType 1186->1193 1194 4236b8-4236c1 1186->1194 1200 423775-423778 1193->1200 1201 42372e-42375f GetLastError call 41c71a CloseHandle 1193->1201 1198 4236c3-4236c7 1194->1198 1199 4236f8-42371e GetLastError call 41c71a 1194->1199 1198->1199 1204 4236c9-4236f6 call 4232b6 1198->1204 1199->1184 1202 423781-423787 1200->1202 1203 42377a-42377f 1200->1203 1201->1184 1212 423765-423770 call 41c750 1201->1212 1207 42378b-4237d9 call 41fe15 1202->1207 1208 423789 1202->1208 1203->1207 1204->1193 1204->1199 1218 4237db-4237e7 call 4234c5 1207->1218 1219 4237f8-423820 call 423063 1207->1219 1208->1207 1212->1184 1218->1219 1226 4237e9 1218->1226 1224 423822-423823 1219->1224 1225 423825-423866 1219->1225 1227 4237eb-4237f3 call 41e6f4 1224->1227 1228 423887-423895 1225->1228 1229 423868-42386c 1225->1229 1226->1227 1227->1195 1231 423920 1228->1231 1232 42389b-42389f 1228->1232 1229->1228 1230 42386e-423882 1229->1230 1230->1228 1231->1195 1232->1231 1235 4238a1-4238d4 CloseHandle call 4232b6 1232->1235 1238 4238d6-423902 GetLastError call 41c71a call 41ffdd 1235->1238 1239 423908-42391c 1235->1239 1238->1239 1239->1231
                                                APIs
                                                  • Part of subcall function 004232B6: CreateFileW.KERNELBASE(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3
                                                • GetLastError.KERNEL32 ref: 00423711
                                                • __dosmaperr.LIBCMT ref: 00423718
                                                • GetFileType.KERNELBASE(00000000), ref: 00423724
                                                • GetLastError.KERNEL32 ref: 0042372E
                                                • __dosmaperr.LIBCMT ref: 00423737
                                                • CloseHandle.KERNEL32(00000000), ref: 00423757
                                                • CloseHandle.KERNEL32(?), ref: 004238A4
                                                • GetLastError.KERNEL32 ref: 004238D6
                                                • __dosmaperr.LIBCMT ref: 004238DD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID:
                                                • API String ID: 4237864984-0
                                                • Opcode ID: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
                                                • Instruction ID: c7b97c56f1a0d1b911df166da15c54d720095dd6c25035754b532be6d98a6b0c
                                                • Opcode Fuzzy Hash: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
                                                • Instruction Fuzzy Hash: 7CA15872A041149FCF19DF68EC917AE3BB1AB06325F54016EF811AB391CB7C8952CB5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1244 21b003c-21b0047 1245 21b0049 1244->1245 1246 21b004c-21b0263 call 21b0a3f call 21b0e0f call 21b0d90 VirtualAlloc 1244->1246 1245->1246 1261 21b028b-21b0292 1246->1261 1262 21b0265-21b0289 call 21b0a69 1246->1262 1264 21b02a1-21b02b0 1261->1264 1266 21b02ce-21b03c2 VirtualProtect call 21b0cce call 21b0ce7 1262->1266 1264->1266 1267 21b02b2-21b02cc 1264->1267 1273 21b03d1-21b03e0 1266->1273 1267->1264 1274 21b0439-21b04b8 VirtualFree 1273->1274 1275 21b03e2-21b0437 call 21b0ce7 1273->1275 1276 21b04be-21b04cd 1274->1276 1277 21b05f4-21b05fe 1274->1277 1275->1273 1279 21b04d3-21b04dd 1276->1279 1280 21b077f-21b0789 1277->1280 1281 21b0604-21b060d 1277->1281 1279->1277 1286 21b04e3-21b0505 LoadLibraryA 1279->1286 1284 21b078b-21b07a3 1280->1284 1285 21b07a6-21b07b0 1280->1285 1281->1280 1287 21b0613-21b0637 1281->1287 1284->1285 1288 21b086e-21b08be LoadLibraryA 1285->1288 1289 21b07b6-21b07cb 1285->1289 1290 21b0517-21b0520 1286->1290 1291 21b0507-21b0515 1286->1291 1292 21b063e-21b0648 1287->1292 1296 21b08c7-21b08f9 1288->1296 1293 21b07d2-21b07d5 1289->1293 1294 21b0526-21b0547 1290->1294 1291->1294 1292->1280 1295 21b064e-21b065a 1292->1295 1297 21b07d7-21b07e0 1293->1297 1298 21b0824-21b0833 1293->1298 1299 21b054d-21b0550 1294->1299 1295->1280 1300 21b0660-21b066a 1295->1300 1301 21b08fb-21b0901 1296->1301 1302 21b0902-21b091d 1296->1302 1303 21b07e2 1297->1303 1304 21b07e4-21b0822 1297->1304 1308 21b0839-21b083c 1298->1308 1305 21b05e0-21b05ef 1299->1305 1306 21b0556-21b056b 1299->1306 1307 21b067a-21b0689 1300->1307 1301->1302 1303->1298 1304->1293 1305->1279 1309 21b056f-21b057a 1306->1309 1310 21b056d 1306->1310 1311 21b068f-21b06b2 1307->1311 1312 21b0750-21b077a 1307->1312 1308->1288 1313 21b083e-21b0847 1308->1313 1315 21b059b-21b05bb 1309->1315 1316 21b057c-21b0599 1309->1316 1310->1305 1317 21b06ef-21b06fc 1311->1317 1318 21b06b4-21b06ed 1311->1318 1312->1292 1319 21b084b-21b086c 1313->1319 1320 21b0849 1313->1320 1327 21b05bd-21b05db 1315->1327 1316->1327 1321 21b074b 1317->1321 1322 21b06fe-21b0748 1317->1322 1318->1317 1319->1308 1320->1288 1321->1307 1322->1321 1327->1299
                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 021B024D
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID: cess$kernel32.dll
                                                • API String ID: 4275171209-1230238691
                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                • Instruction ID: 4ab217ea06ede6de9ba3e6b2e2a67f6ed3b7ab6b9f62452011bc74af36d61025
                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                • Instruction Fuzzy Hash: AE526974A01229DFDB65CF68C984BADBBB1BF09304F1580E9E54DAB351DB30AA85CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1328 41d1bb-41d1c2 1329 41d1c4-41d1c6 1328->1329 1330 41d1c7-41d1ce call 421602 call 4219a3 1328->1330 1334 41d1d3-41d1d7 1330->1334 1335 41d1d9-41d1dc 1334->1335 1336 41d1de-41d1e7 call 41d20e 1334->1336 1337 41d202-41d20d call 41e5a1 1335->1337 1341 41d1e9-41d1ec 1336->1341 1342 41d1ee-41d1f5 1336->1342 1344 41d1fa-41d201 call 41e5a1 1341->1344 1342->1344 1344->1337
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID: HZ$HZ
                                                • API String ID: 269201875-4061901197
                                                • Opcode ID: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
                                                • Instruction ID: f1d333090dd57bfd17dfe39ecb9b07313f9b1ca465b706eabb36e918cd1afe6e
                                                • Opcode Fuzzy Hash: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
                                                • Instruction Fuzzy Hash: 4FE0E5B6E0242022E211623F7C46AEB11856BD133AB15022FF860861E0DF7C88C2D19E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1347 4219a3-4219b8 GetEnvironmentStringsW 1348 421a13 1347->1348 1349 4219ba-4219db call 42196c call 4218bf 1347->1349 1350 421a15-421a17 1348->1350 1349->1348 1357 4219dd-4219de call 41ea8a 1349->1357 1352 421a20-421a26 1350->1352 1353 421a19-421a1a FreeEnvironmentStringsW 1350->1353 1353->1352 1359 4219e3-4219e8 1357->1359 1360 4219ea-421a00 call 4218bf 1359->1360 1361 421a08 1359->1361 1360->1361 1366 421a02-421a06 1360->1366 1363 421a0a-421a11 call 41e5a1 1361->1363 1363->1350 1366->1363
                                                APIs
                                                • GetEnvironmentStringsW.KERNEL32 ref: 004219AC
                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00421A1A
                                                  • Part of subcall function 004218BF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425A80,?,00000000,00000000), ref: 00421961
                                                  • Part of subcall function 0041EA8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC
                                                • _free.LIBCMT ref: 00421A0B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: EnvironmentStrings$AllocateByteCharFreeHeapMultiWide_free
                                                • String ID:
                                                • API String ID: 2560199156-0
                                                • Opcode ID: 9bbd66b76b4a34ca0bab716a56d9e69b7f3100a2bd4ca48c1cc341373bda4218
                                                • Instruction ID: 29b21772b9320c3fddc08945695e8111c5dc75795407a2b0146b8edf9caf2341
                                                • Opcode Fuzzy Hash: 9bbd66b76b4a34ca0bab716a56d9e69b7f3100a2bd4ca48c1cc341373bda4218
                                                • Instruction Fuzzy Hash: DA01FCB2B022753B273125B73CC9DBF696DCED2BA5394013AFD04D7211EE588D0282B8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1415 42356f-4235a3 call 41bd30 call 41bc90 1420 4235a5-4235a8 1415->1420 1421 4235aa-4235bf call 4235fd 1415->1421 1422 4235c9-4235cd 1420->1422 1424 4235c4-4235c7 1421->1424 1425 4235d8-4235dc 1422->1425 1426 4235cf-4235d7 call 41e5a1 1422->1426 1424->1422 1426->1425
                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID: >A
                                                • API String ID: 269201875-3365779530
                                                • Opcode ID: 6d7cabbe3305cb9b6d011bf0e9d56addc9b4860a8407226052aa3c61f76cc774
                                                • Instruction ID: 30ff9b9e87434c0f379a7433cd06ee0227cf71fd1282e2cff9dc0eafdffef8ec
                                                • Opcode Fuzzy Hash: 6d7cabbe3305cb9b6d011bf0e9d56addc9b4860a8407226052aa3c61f76cc774
                                                • Instruction Fuzzy Hash: A8017172D00159BFCF01AFA89C01ADE7FF5AF08304F14016AB918E2151E7398B609BC4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1429 21b0e0f-21b0e24 SetErrorMode * 2 1430 21b0e2b-21b0e2c 1429->1430 1431 21b0e26 1429->1431 1431->1430
                                                APIs
                                                • SetErrorMode.KERNELBASE(00000400,?,?,021B0223,?,?), ref: 021B0E19
                                                • SetErrorMode.KERNELBASE(00000000,?,?,021B0223,?,?), ref: 021B0E1E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorMode
                                                • String ID:
                                                • API String ID: 2340568224-0
                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                • Instruction ID: 4bb0b02c4dfb3f5a3bc7dd2e41f8bd33247f6ec8f72617beddb3c5e3af2450fc
                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                • Instruction Fuzzy Hash: AFD0123514512877D7012A94DC09BCE7B1CDF09B66F108011FB0DD9080C770954046E5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1432 41e3ff-41e425 call 41e1d5 1435 41e427-41e439 call 4235dd 1432->1435 1436 41e47e-41e481 1432->1436 1438 41e43e-41e443 1435->1438 1438->1436 1439 41e445-41e47d 1438->1439
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: __wsopen_s
                                                • String ID:
                                                • API String ID: 3347428461-0
                                                • Opcode ID: 0d6bf0a7e9f29163ed6caaa22d8f5b82bf3e75d92930a2ecd6c24ab71e07ee1e
                                                • Instruction ID: 322a9cb7d115cba5ea2c99f456cc5fe6d3c651e69e51ada78d95c10651760d14
                                                • Opcode Fuzzy Hash: 0d6bf0a7e9f29163ed6caaa22d8f5b82bf3e75d92930a2ecd6c24ab71e07ee1e
                                                • Instruction Fuzzy Hash: 14115775A0020AAFCF05DF59E9459DB7BF4EF48304F0040AAF808EB311D630EA21CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0040CBD0: GetTempPathA.KERNEL32(00000104,?), ref: 0040B2FE
                                                  • Part of subcall function 0040CBD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,3A108541), ref: 0040A7BC
                                                  • Part of subcall function 00406510: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406540
                                                  • Part of subcall function 0040CBD0: GetUserNameA.ADVAPI32(?,?), ref: 0040B96E
                                                  • Part of subcall function 004138B0: IsUserAnAdmin.SHELL32 ref: 0041390D
                                                  • Part of subcall function 004138B0: GetUserNameA.ADVAPI32(?,?), ref: 004139B7
                                                  • Part of subcall function 004138B0: GetComputerNameExW.KERNEL32(00000002,?,?,?,?), ref: 00413A20
                                                  • Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 004167F6
                                                  • Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416807
                                                  • Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416818
                                                  • Part of subcall function 004167E0: Sleep.KERNEL32(00007530,?,00416873), ref: 00416825
                                                • InternetCloseHandle.WININET(00000000), ref: 00416887
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: Name$CreateThreadUser$FileModule$AdminCloseComputerHandleInternetPathSleepTemp
                                                • String ID:
                                                • API String ID: 1411138196-0
                                                • Opcode ID: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
                                                • Instruction ID: fcb51b4180ac2c01cd311fc2696d032aed602c74c46a29392a881be8b31f0bff
                                                • Opcode Fuzzy Hash: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
                                                • Instruction Fuzzy Hash: 21E08671A0050407DA043BBA5D0B64E31184F8134CF94027FB815665D7EE6DD56441FF
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1459 41ea8a-41ea96 1460 41eac8-41ead3 call 41c750 1459->1460 1461 41ea98-41ea9a 1459->1461 1468 41ead5-41ead7 1460->1468 1462 41eab3-41eac4 RtlAllocateHeap 1461->1462 1463 41ea9c-41ea9d 1461->1463 1466 41eac6 1462->1466 1467 41ea9f-41eaa6 call 41dc2f 1462->1467 1463->1462 1466->1468 1467->1460 1471 41eaa8-41eab1 call 41cca7 1467->1471 1471->1460 1471->1462
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: dfa22ebf96d117e5e2d1e15a0c463ff833afb46ba7fb8ad48bf3f6a11dcdaed7
                                                • Instruction ID: 5e5b785a8da04b63c94067ca99906f02eb36a9a31bcd46b4234264a7978573d4
                                                • Opcode Fuzzy Hash: dfa22ebf96d117e5e2d1e15a0c463ff833afb46ba7fb8ad48bf3f6a11dcdaed7
                                                • Instruction Fuzzy Hash: A5E0E53954012266E62126634C007DB7A48BF813F0F050037EC18962C0DB98DCC182ED
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1474 4232b6-4232da CreateFileW
                                                APIs
                                                • CreateFileW.KERNELBASE(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: CreateFile
                                                • String ID:
                                                • API String ID: 823142352-0
                                                • Opcode ID: 5f6f20da4e93aca7bdcb0ea2359822fb329caed46e02a9c52ac097750241beb4
                                                • Instruction ID: cd0ee65043cc83d888fb6f456493c6bde9bec702db69a9442c4f6e90f97d0004
                                                • Opcode Fuzzy Hash: 5f6f20da4e93aca7bdcb0ea2359822fb329caed46e02a9c52ac097750241beb4
                                                • Instruction Fuzzy Hash: 77D06C3210010DFFDF128F84DC06EDA3BAAFB48724F414120BA1856020C732E872EB94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,3A108541,3A108541), ref: 00402E1C
                                                • RegQueryValueExA.ADVAPI32(3A108541,?,00000000,00000000,?,00000400,?,?,00000000,00000001,3A108541,3A108541), ref: 00402E4A
                                                • RegCloseKey.ADVAPI32(3A108541,?,?,00000000,00000001,3A108541,3A108541), ref: 00402E56
                                                • RegOpenKeyExA.ADVAPI32(80000001,80000001,00000000,000F003F,00000001), ref: 00402F63
                                                • RegSetValueExA.ADVAPI32(80000001,?,00000000,00000002,?,?), ref: 00402F91
                                                • RegCloseKey.ADVAPI32(80000001), ref: 00402F9A
                                                • GdiplusStartup.GDIPLUS(?,?,00000000,3A108541), ref: 004030CA
                                                • GetDC.USER32(00000000), ref: 004031C2
                                                • RegGetValueA.ADVAPI32(80000002,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000004), ref: 00403449
                                                • GetSystemMetrics.USER32 ref: 004034A2
                                                • GetSystemMetrics.USER32 ref: 004034AB
                                                • RegGetValueA.ADVAPI32(80000002,?,00000000), ref: 004034F3
                                                • GetSystemMetrics.USER32 ref: 00403546
                                                • GetSystemMetrics.USER32 ref: 0040354F
                                                • CreateCompatibleDC.GDI32(?), ref: 0040355B
                                                • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00403570
                                                • SelectObject.GDI32(00000000,00000000), ref: 00403580
                                                • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004035A6
                                                • GdipCreateBitmapFromHBITMAP.GDIPLUS(00000000,00000000,?), ref: 004035BA
                                                • GdipGetImageEncodersSize.GDIPLUS(00000000,?), ref: 004035D6
                                                • GdipGetImageEncoders.GDIPLUS(00000000,00000000,00000000), ref: 00403603
                                                • GdipSaveImageToFile.GDIPLUS(00000000,?,?,00000000), ref: 00403687
                                                • SelectObject.GDI32(00000000,?), ref: 00403694
                                                • DeleteObject.GDI32(00000000), ref: 004036A1
                                                • DeleteObject.GDI32(?), ref: 004036A9
                                                • ReleaseDC.USER32 ref: 004036B3
                                                • GdipDisposeImage.GDIPLUS(00000000), ref: 004036BA
                                                • GdiplusShutdown.GDIPLUS(?), ref: 0040375C
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: Gdip$ImageMetricsObjectSystemValue$Create$BitmapCloseCompatibleDeleteEncodersGdiplusOpenSelect$DisposeFileFromQueryReleaseSaveShutdownSizeStartup
                                                • String ID: image/jpeg
                                                • API String ID: 406439762-3785015651
                                                • Opcode ID: 980cba627aba57c3be443a91d8b4af89879fdcee3fb983424af2fc9b42805253
                                                • Instruction ID: ef3e356fa5e9885fc08513456cc6264c1fb040e0d3da28046e10bcebe11668ea
                                                • Opcode Fuzzy Hash: 980cba627aba57c3be443a91d8b4af89879fdcee3fb983424af2fc9b42805253
                                                • Instruction Fuzzy Hash: A362F471A00108ABEB18DF28CD85BDDBB76EF45304F50826EE805B72D1DB799A85CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F66
                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00403FCB
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00403FE4
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00403FFF
                                                • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00404023
                                                • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040403E
                                                • GetProcAddress.KERNEL32(00000000), ref: 00404045
                                                • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040406D
                                                • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040408E
                                                • WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 004040D2
                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0040410E
                                                • SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 0040412A
                                                • ResumeThread.KERNEL32(?,?,?,00000000), ref: 00404136
                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 00404144
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404165
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
                                                • String ID: $NtUnmapViewOfSection$ntdll.dll
                                                • API String ID: 4033543172-1522589568
                                                • Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
                                                • Instruction ID: 7185e54e9f5f5e6bc342fc5ffd2bfcf32a837d4cfdcfbf42461452ed81247528
                                                • Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
                                                • Instruction Fuzzy Hash: 66518971600218EBDB209F54DC49FEAB7B8FF48701F9040B6F708AA291D7B1A995CF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetUserNameW.ADVAPI32(00000000,?), ref: 00403822
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00403837
                                                • HeapAlloc.KERNEL32(00000000), ref: 0040383A
                                                • GetUserNameW.ADVAPI32(00000000,?), ref: 00403848
                                                • LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0040386B
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00403876
                                                • HeapAlloc.KERNEL32(00000000), ref: 00403879
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00403889
                                                • HeapAlloc.KERNEL32(00000000), ref: 0040388C
                                                • LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004038B6
                                                • ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004038C9
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 004039C5
                                                • HeapFree.KERNEL32(00000000), ref: 004039CE
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039D3
                                                • HeapFree.KERNEL32(00000000), ref: 004039D6
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039DD
                                                • HeapFree.KERNEL32(00000000), ref: 004039E0
                                                • LocalFree.KERNEL32(00000000), ref: 004039E5
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
                                                • String ID:
                                                • API String ID: 3326663573-0
                                                • Opcode ID: a64e29b37d9ba5868eb87ff9c3c3dad53cd4cde0e11c70c606b7e5db171cbd47
                                                • Instruction ID: 167f534f4a5bc3f8c65bdd595c5ec8e1d54d44385eb9c59962b1969d814595bf
                                                • Opcode Fuzzy Hash: a64e29b37d9ba5868eb87ff9c3c3dad53cd4cde0e11c70c606b7e5db171cbd47
                                                • Instruction Fuzzy Hash: EA716DB1E00209ABDB14DFA5DC85BEFBBBCEB48300F40453AE905A7281DB749905CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 021B41CD
                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 021B4232
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 021B424B
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 021B4266
                                                • ReadProcessMemory.KERNEL32(?,00434ECC,?,00000004,00000000), ref: 021B428A
                                                • GetModuleHandleA.KERNEL32(00434EE8,00434ED0), ref: 021B42A5
                                                • GetProcAddress.KERNEL32(00000000), ref: 021B42AC
                                                • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 021B42D4
                                                • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 021B42F5
                                                • WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 021B4339
                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 021B4375
                                                • SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 021B4391
                                                • ResumeThread.KERNEL32(?,?,?,00000000), ref: 021B439D
                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 021B43AB
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 021B43CC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
                                                • String ID:
                                                • API String ID: 4033543172-0
                                                • Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
                                                • Instruction ID: 1d46b11d3f52570259211867d22ff1d0f2f3affcad409e27af4df32e5424d0bc
                                                • Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
                                                • Instruction Fuzzy Hash: 65517C71A40218AFDB219F54DC45FEAB7B8FF08705F9040B5F608EA2A1D7B1A994CF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 0040425C
                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040426E
                                                • InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 00404281
                                                • InternetCloseHandle.WININET(00000000), ref: 00404292
                                                • InternetCloseHandle.WININET(00000000), ref: 00404295
                                                • InternetCloseHandle.WININET(00000000), ref: 004042A3
                                                • InternetCloseHandle.WININET(00000000), ref: 004042A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: Internet$CloseHandle$Open$FileRead
                                                • String ID: runas
                                                • API String ID: 4294395943-4000483414
                                                • Opcode ID: 28ce16dc81a2aff0cf4c6fac810d51fc3cde5d363382f25497ed73183f804a84
                                                • Instruction ID: ba1dc25ec83469701d4c7edc2e7ba4793e46b241d410edfdecdbeb0a0fce58bd
                                                • Opcode Fuzzy Hash: 28ce16dc81a2aff0cf4c6fac810d51fc3cde5d363382f25497ed73183f804a84
                                                • Instruction Fuzzy Hash: 4951D571E00108ABDB14DFA4DC41BEEBB75EF85300F60816EF915B7291D7389945CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free$InformationTimeZone
                                                • String ID:
                                                • API String ID: 597776487-0
                                                • Opcode ID: 8c2b88b9d242ee917946bc58aad9aca9963a64eab752d66957554f7044879769
                                                • Instruction ID: 2c4f844ee906d1c5b8a05b7d4d89c1c9074c071bb98950a21f89e01ce9d05ddf
                                                • Opcode Fuzzy Hash: 8c2b88b9d242ee917946bc58aad9aca9963a64eab752d66957554f7044879769
                                                • Instruction Fuzzy Hash: 1FC17835B00128ABDB209F69EC41BAB7BA9EFC5354F94416FE550D7381E7388E01CB88
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetVersionExW.KERNEL32(0000011C,?,3A108541,00000000), ref: 00405479
                                                • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004054E0
                                                • GetProcAddress.KERNEL32(00000000), ref: 004054E7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProcVersion
                                                • String ID:
                                                • API String ID: 3310240892-0
                                                • Opcode ID: 40c6cdebbb456b066a3f68f0887994b65a3b830430b2fa73f4ce35f146c3d2be
                                                • Instruction ID: 1307c1e28f23caf99c3cad6e9d6b2b61846357279e254348caa37701d54b456e
                                                • Opcode Fuzzy Hash: 40c6cdebbb456b066a3f68f0887994b65a3b830430b2fa73f4ce35f146c3d2be
                                                • Instruction Fuzzy Hash: B8513971900608ABDB14DB24DD497DE7B76EB46314F5042BAE805B73C1DB389EC48F99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0041CB78
                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0041CB82
                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0041CB8F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                • String ID:
                                                • API String ID: 3906539128-0
                                                • Opcode ID: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
                                                • Instruction ID: ff4d1174fdddd5ebc348feb1509e890b27b9c9d6be8b5b558b14357fec343526
                                                • Opcode Fuzzy Hash: d01e7f133785e3bb0beafcf269aef2531f9dd5a62572b740f5956f5575e894ef
                                                • Instruction Fuzzy Hash: 8C31A275901228ABCB21DF65D989BD9BBB8AF08310F5041EAE40CA6251EB749F858F58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00428488,?,?,00000008,?,?,00428120,00000000), ref: 004286BA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID:
                                                • API String ID: 3997070919-0
                                                • Opcode ID: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
                                                • Instruction ID: 4a71125e6f4c823a3763720cf76552cabfd479d0aa9e4c8b08dce5cb0b77843e
                                                • Opcode Fuzzy Hash: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
                                                • Instruction Fuzzy Hash: 39B17B31211618DFD714CF28D48AB697BA0FF44364F65865DE89ACF3A1CB39E982CB44
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,021D86EF,?,?,00000008,?,?,021D8387,00000000), ref: 021D8921
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ExceptionRaise
                                                • String ID:
                                                • API String ID: 3997070919-0
                                                • Opcode ID: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
                                                • Instruction ID: e6a96c671b615ff1a0085192bcda776dbefced95832755768cbeca0a83317c13
                                                • Opcode Fuzzy Hash: 5ef4d00b5429483db4ee21fa4326bc925bf0c13a1e125d06c7f23f728c6050ca
                                                • Instruction Fuzzy Hash: 82B14D31650605DFD719CF2CC48AB657BA0FF45368F268658E8EACF2A1C335E992CB41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041889D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: FeaturePresentProcessor
                                                • String ID:
                                                • API String ID: 2325560087-0
                                                • Opcode ID: d55505ce439c0c625bb69c877a6f4797faed7c5d0db0f84db7aa582d50e4da23
                                                • Instruction ID: 42c5aa6f6f7fc7f776cec8504a7906bb6cf0d019190ab3c9283af4763153d71d
                                                • Opcode Fuzzy Hash: d55505ce439c0c625bb69c877a6f4797faed7c5d0db0f84db7aa582d50e4da23
                                                • Instruction Fuzzy Hash: 92516AB2A10215CBDB18CF65D9817AEBBF4FB48314F24942BD445EB350D7789980CF6A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
                                                • Instruction ID: 995ca3f643b73f20b77409ea83fcee654ff77a15ad0f1f03090dea471df43cee
                                                • Opcode Fuzzy Hash: d97f7f4797c3a364c903861215189f8d8653831c5c514b3b47f127515a30102c
                                                • Instruction Fuzzy Hash: FE41C4B5904228AEDB24DF69DC89AEABBB8EF45304F5442DEE40DD3211DA349E848F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • SetUnhandledExceptionFilter.KERNEL32(Function_00018BD8,004186D1), ref: 00418BD1
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ExceptionFilterUnhandled
                                                • String ID:
                                                • API String ID: 3192549508-0
                                                • Opcode ID: 5b644bd4298714589124608af917b149a8cdb7aa3ad9eb7150b270449828aa51
                                                • Instruction ID: fb13876baf3060654c4d3ec658a032312c050c0c5ceb920d56ad85ce90fc2474
                                                • Opcode Fuzzy Hash: 5b644bd4298714589124608af917b149a8cdb7aa3ad9eb7150b270449828aa51
                                                • Instruction Fuzzy Hash:
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a3a9157b277817cb60641082f1e4f8ca4ec7dff310ffa31a6fd9bf35832d5c1
                                                • Instruction ID: 2ed8bcd71233cdd26d40d40588c8b3db03f02c46a7ead0be40a967f157380f8c
                                                • Opcode Fuzzy Hash: 5a3a9157b277817cb60641082f1e4f8ca4ec7dff310ffa31a6fd9bf35832d5c1
                                                • Instruction Fuzzy Hash: F3E1875548E3C15FD7138B3449B5681BF70AE23114B1E96DBCCDA8E4A7D24CAA0EE732
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction ID: 836b6cb189818071d5d152d6c3d8cd1a25b1ac1f9bf822a59482dcdb2b2a5351
                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction Fuzzy Hash: 3B115B7730407157D605DA3DF8B46BBA395EFC9320FAC437BC0424B748D22A9C839508
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction ID: 3d154fef5ed125ed344dc961b8a30b049b66235cab7742b4724df85a5bb628ae
                                                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                • Instruction Fuzzy Hash: 8C1127BB2C1091C3DA188E2DD9F42FBA799EBC6128F2D4B7AD0524B758D322E145DE00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
                                                • Instruction ID: 75fb159916dc4249806a39f04cce895c1ac82e6549e7b4276809d1188ffe9861
                                                • Opcode Fuzzy Hash: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
                                                • Instruction Fuzzy Hash: 70E046B2921228EBCB24DF8999049CAF3ECEB49B04B2100AAB502D3200C274DF41C7D4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
                                                • Instruction ID: 4130ff2a68440bdd99f9cda329df6ae24a6ce12e71ac38b8fe3773f55551b3a8
                                                • Opcode Fuzzy Hash: e0ad719187851a61f309ddbb2cee80a5110ae42387cecf94a10a94091515ac20
                                                • Instruction Fuzzy Hash: C1E08C32951268EBCB18DB98D90498AF7FEEB44B14B2144AAB501E3200C370DE00CBE0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 00422653
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422209
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 0042221B
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 0042222D
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 0042223F
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422251
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422263
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422275
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422287
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422299
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 004222AB
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 004222BD
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 004222CF
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 004222E1
                                                • _free.LIBCMT ref: 00422648
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 0042266A
                                                • _free.LIBCMT ref: 0042267F
                                                • _free.LIBCMT ref: 0042268A
                                                • _free.LIBCMT ref: 004226AC
                                                • _free.LIBCMT ref: 004226BF
                                                • _free.LIBCMT ref: 004226CD
                                                • _free.LIBCMT ref: 004226D8
                                                • _free.LIBCMT ref: 00422710
                                                • _free.LIBCMT ref: 00422717
                                                • _free.LIBCMT ref: 00422734
                                                • _free.LIBCMT ref: 0042274C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
                                                • Instruction ID: 87a383156b0838ac626f9c2c6038cf6ce1f5ffd7cd3d592d57855f9c4539c293
                                                • Opcode Fuzzy Hash: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
                                                • Instruction Fuzzy Hash: B6319272604211BFEB205A76EA45B9B73E5AF80358F50441FE849D7251DFBCED80DB18
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00419C22
                                                • type_info::operator==.LIBVCRUNTIME ref: 00419C49
                                                • ___TypeMatch.LIBVCRUNTIME ref: 00419D55
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00419E30
                                                • _UnwindNestedFrames.LIBCMT ref: 00419EB7
                                                • CallUnexpected.LIBVCRUNTIME ref: 00419ED2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                • String ID: csm$csm$csm
                                                • API String ID: 2123188842-393685449
                                                • Opcode ID: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
                                                • Instruction ID: d03aefa22aee8cf5aa416bea0a170c685dbf4c7cd79984a2e6415da9b3a38480
                                                • Opcode Fuzzy Hash: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
                                                • Instruction Fuzzy Hash: 49C18871900209EFCF29DFA5D8A19EEBBB5BF04314F14405BE8516B242D339DE91CB9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free$___from_strstr_to_strchr
                                                • String ID: HZ
                                                • API String ID: 3409252457-879387849
                                                • Opcode ID: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
                                                • Instruction ID: f188bb2de727b7b751c2d84351da10a70f250225146cef8743706f99745805fe
                                                • Opcode Fuzzy Hash: 17a2c5d05d88992eb6c4295c13d4ba7d46687f58b453e92c494b9aad345095be
                                                • Instruction Fuzzy Hash: 0E518C74F44324AFDB24AFB7A881A6E7BB4AF11314F54416FE410972A1EA3D8940CB5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00408BAC
                                                • InternetOpenA.WININET(0043432B,00000000,00000000,00000000,00000000), ref: 00408BC2
                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00408BE2
                                                • InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408BF3
                                                • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00408C15
                                                • InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408C20
                                                • CloseHandle.KERNEL32(?), ref: 00408C32
                                                • InternetCloseHandle.WININET(?), ref: 00408C41
                                                • InternetCloseHandle.WININET(00000000), ref: 00408C44
                                                • RemoveDirectoryA.KERNEL32(00000000,?,?,?), ref: 00408CFD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: Internet$File$CloseHandle$OpenRead$CreateDirectoryRemoveWrite
                                                • String ID:
                                                • API String ID: 1496009958-0
                                                • Opcode ID: d4071f3938f2969eb82609d0eef3df7d35d4587525f7ef1aeed542a422f625c7
                                                • Instruction ID: e39da941a42be4000a8416f9d2a6f8c848e32a180712f45a109694aa4e2734ce
                                                • Opcode Fuzzy Hash: d4071f3938f2969eb82609d0eef3df7d35d4587525f7ef1aeed542a422f625c7
                                                • Instruction Fuzzy Hash: 6E71EF71600208ABEB14DF64DD85BEE7735EF44304F50423EF945AB2D1DB38A980CB68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 0041ED90
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 0041ED9C
                                                • _free.LIBCMT ref: 0041EDA7
                                                • _free.LIBCMT ref: 0041EDB2
                                                • _free.LIBCMT ref: 0041EDBD
                                                • _free.LIBCMT ref: 0041EDC8
                                                • _free.LIBCMT ref: 0041EDD3
                                                • _free.LIBCMT ref: 0041EDDE
                                                • _free.LIBCMT ref: 0041EDE9
                                                • _free.LIBCMT ref: 0041EDF7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
                                                • Instruction ID: e610bd300bd5c2f85586062e27af9f16ff799e012d6f089a2169b26ee7872c24
                                                • Opcode Fuzzy Hash: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
                                                • Instruction Fuzzy Hash: ED219CBA910108BFCB41EF96C941DDD7BF6BF88344F00416AF9199B121EB35DA84DB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a78892049de11e46c50fbd2fa855718c5aabf05d02eef10ffa1756f3991459e
                                                • Instruction ID: 5128a0cef717139e7719faf6ed0b9fe75c650819d7ce78bb109199c1610a9dbc
                                                • Opcode Fuzzy Hash: 1a78892049de11e46c50fbd2fa855718c5aabf05d02eef10ffa1756f3991459e
                                                • Instruction Fuzzy Hash: D3C114B4B002159FDF11DF99E880BAEBBB0BF49304F51406AE914A7382C7789D81CF69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
                                                • Instruction ID: 6dbd2c5e423e334920103486c0eadda1295b5f54b8e7a96b186c83aed40998b5
                                                • Opcode Fuzzy Hash: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
                                                • Instruction Fuzzy Hash: F1C14674E84285EFDF24CF98E880BADBBB9BF48304F148069E59497391C7349941CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,HZ,00427265,?,?,?,?,?,?,?,?,HZ), ref: 0042704C
                                                • __alloca_probe_16.LIBCMT ref: 00427102
                                                • __alloca_probe_16.LIBCMT ref: 00427198
                                                • __freea.LIBCMT ref: 00427203
                                                • __freea.LIBCMT ref: 0042720F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: __alloca_probe_16__freea$Info
                                                • String ID: HZ
                                                • API String ID: 2330168043-879387849
                                                • Opcode ID: 5f2a50e45296c4ab9ea81c751da5de9d4fb401d4688c96eb67b443e93606af8c
                                                • Instruction ID: f6d9b8f12c634194a1b411eace1e19527ea88e01b30f60a4b5a6e0b516c13e2d
                                                • Opcode Fuzzy Hash: 5f2a50e45296c4ab9ea81c751da5de9d4fb401d4688c96eb67b443e93606af8c
                                                • Instruction Fuzzy Hash: 4481E472B082259BDF219EA5AC41EEF7BB5EF09354F98005BF804A7341D62DCC458BB9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 00419507
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 0041950F
                                                • _ValidateLocalCookies.LIBCMT ref: 00419598
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 004195C3
                                                • _ValidateLocalCookies.LIBCMT ref: 00419618
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
                                                • Instruction ID: cf6a3be1c1e6f4323defd25786acadca5afaa418f9c93884064ec3a043526e94
                                                • Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
                                                • Instruction Fuzzy Hash: 09411A31A00214AFCF11DF69C890ADEBBB1BF45318F54806BE8146B352D739DE96CB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: api-ms-$ext-ms-
                                                • API String ID: 0-537541572
                                                • Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
                                                • Instruction ID: 8946f5363388c355846af12649c4142b4e9cf4c5f65ba016e67a922269825e5f
                                                • Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
                                                • Instruction Fuzzy Hash: 3521C672A41221FBCB318A24DC45A9B3778AB017A0F650532ED15A7391D638ED4BC5DC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                  • Part of subcall function 00422353: _free.LIBCMT ref: 00422378
                                                • _free.LIBCMT ref: 004223D9
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 004223E4
                                                • _free.LIBCMT ref: 004223EF
                                                • _free.LIBCMT ref: 00422443
                                                • _free.LIBCMT ref: 0042244E
                                                • _free.LIBCMT ref: 00422459
                                                • _free.LIBCMT ref: 00422464
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
                                                • Instruction ID: 3666b1e76cecdb1a9706d82e7bd79ae187b091a1e89744abee2c0a3d449e73e2
                                                • Opcode Fuzzy Hash: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
                                                • Instruction Fuzzy Hash: C611E471601714BAD921F7B2DD47FCB77DD5F0834CF84881EBACD6A052D6ACB6514604
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetConsoleCP.KERNEL32(?,00405880,00000000), ref: 00423A8E
                                                • __fassign.LIBCMT ref: 00423C6D
                                                • __fassign.LIBCMT ref: 00423C8A
                                                • WriteFile.KERNEL32(?,00405880,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423CD2
                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00423D12
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423DBE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ConsoleErrorLast
                                                • String ID:
                                                • API String ID: 4031098158-0
                                                • Opcode ID: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
                                                • Instruction ID: 55294dd1ed643e62d688e25fe7fc8b93d32e6dca02253c809cdcf0ede3e7f937
                                                • Opcode Fuzzy Hash: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
                                                • Instruction Fuzzy Hash: 21D1A075E002689FCF15CFA8D8809EDBBB5BF48314F64016AE455FB342D738AA46CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetLastError.KERNEL32(?,?,004197E7,004193D7,00418C1C), ref: 004197FE
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041980C
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419825
                                                • SetLastError.KERNEL32(00000000,004197E7,004193D7,00418C1C), ref: 00419877
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
                                                • Instruction ID: 71a7697fc03e6214697c45e1a132a8316019e6706060db725442c6d2a3e753c8
                                                • Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
                                                • Instruction Fuzzy Hash: F101D8326293115EE62C3B76AE959D72774EF067B8720023FF120441F1EF594C95D58D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 021B44C3
                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 021B44D5
                                                • InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 021B44E8
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: Internet$Open$FileRead
                                                • String ID: +CC$runas
                                                • API String ID: 72386350-2150734417
                                                • Opcode ID: f629ccd115f1b0a5505da88cd8cf5212883000edcb5ff7f417580e889bd18442
                                                • Instruction ID: b42de23b00c3ba79b0cb9973b94e1d23742d4eee82cb20f76ec8255ed512fda2
                                                • Opcode Fuzzy Hash: f629ccd115f1b0a5505da88cd8cf5212883000edcb5ff7f417580e889bd18442
                                                • Instruction Fuzzy Hash: 3651D172E40108AFDB15DFA8CC91FEEBBB6EF58700F608129E411A7681D775A944CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\7cduUYXDtl.exe$P}]$X3Z
                                                • API String ID: 0-3247073527
                                                • Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
                                                • Instruction ID: 3e019bb9f1f37e8f56b3af26f626c64f14fa1fa210d5d8f79d997b38734a4c96
                                                • Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
                                                • Instruction Fuzzy Hash: 9A41A271A80214AFDB11DF9A9CC19EFBBB9EB85710F10006BF40497251D7788E82CB5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                • C:\Users\user\Desktop\7cduUYXDtl.exe, xrefs: 00420F81
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\7cduUYXDtl.exe
                                                • API String ID: 0-3414761971
                                                • Opcode ID: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
                                                • Instruction ID: f2c65a4c72dcbe00dc32dc221c8eb50b3435d1ebdf66b1fbb5bbc6e11338d05a
                                                • Opcode Fuzzy Hash: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
                                                • Instruction Fuzzy Hash: CB210A713001257F97206F71ED81D6BB7ADAF103A8750462BF828D7691D778DC818799
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                • C:\Users\user\Desktop\7cduUYXDtl.exe, xrefs: 021D11E8
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\7cduUYXDtl.exe
                                                • API String ID: 0-3414761971
                                                • Opcode ID: 58ea943009bd374bebf7ec5987a08b3fa813e305a807f4d2fcbf4f6ae6d6cbf6
                                                • Instruction ID: c35d40198e5c3b5f3bd7aa6f20ca5657531313a631f7881eca3bea2874a43164
                                                • Opcode Fuzzy Hash: 58ea943009bd374bebf7ec5987a08b3fa813e305a807f4d2fcbf4f6ae6d6cbf6
                                                • Instruction Fuzzy Hash: F6219276A84105FF9B24AF65DC80F6B776EAF103647204629E92CD7550E732EC018FA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _wcsrchr
                                                • String ID: .bat$.cmd$.com$.exe
                                                • API String ID: 1752292252-4019086052
                                                • Opcode ID: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
                                                • Instruction ID: baa428b651ab7fadd2aefce0a8d8cefe58070258f098f4f191bca89b56dcb2ea
                                                • Opcode Fuzzy Hash: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
                                                • Instruction Fuzzy Hash: 7E012B3BA8C635212624101AEC62BF717988B96FB8B25412FF854F72C1ED9DEC8205DC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: api-ms-
                                                • API String ID: 0-2084034818
                                                • Opcode ID: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
                                                • Instruction ID: 8addbc20e8b4f1572ca5f78bff053ba989236767de5a1c4d832f47c373f0c560
                                                • Opcode Fuzzy Hash: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
                                                • Instruction Fuzzy Hash: 2B112C71A12221EBC7314B249D44AAB37689F017B4B624933ED45AB390D738DDE1C5DE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B958
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041B96B
                                                • FreeLibrary.KERNEL32(00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B98E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
                                                • Instruction ID: 6ab08718997dcf592451d77b1cbf540418157bbc441c253cf8170436862d5d78
                                                • Opcode Fuzzy Hash: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
                                                • Instruction Fuzzy Hash: 52F08230651218FBDB259B50DD0ABEEBA78DF44759F900175A504A1260CB788E46DA98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 0041D822
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 0041D835
                                                • _free.LIBCMT ref: 0041D846
                                                • _free.LIBCMT ref: 0041D857
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID: P}]
                                                • API String ID: 776569668-481746256
                                                • Opcode ID: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
                                                • Instruction ID: 2f128d3171f244c94fc48b8332bc88089a284fec835ab8af747093701a289460
                                                • Opcode Fuzzy Hash: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
                                                • Instruction Fuzzy Hash: C3E04FB4801520AFCE012F53FE055953BA2FB947EC340302AF81406232DB390261EFCE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • __alloca_probe_16.LIBCMT ref: 00425958
                                                • __alloca_probe_16.LIBCMT ref: 00425A1E
                                                • __freea.LIBCMT ref: 00425A8A
                                                  • Part of subcall function 0041EA8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC
                                                • __freea.LIBCMT ref: 00425A93
                                                • __freea.LIBCMT ref: 00425AB6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                • String ID:
                                                • API String ID: 1423051803-0
                                                • Opcode ID: c74094a0c6d5729c86e1c932978b4c2ceda6b25e6d516f0e0492038c5d5f24b8
                                                • Instruction ID: 7e0d7c363e2f027523b7077ca53f82abc72318da18e9cc0c3b19bc4bba63112a
                                                • Opcode Fuzzy Hash: c74094a0c6d5729c86e1c932978b4c2ceda6b25e6d516f0e0492038c5d5f24b8
                                                • Instruction Fuzzy Hash: 8351E672700626AFDB209F95EC86EBF37A9EF44764F95422AFC04D7240E778DC418698
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C040), ref: 0041C130
                                                • GetFileInformationByHandle.KERNEL32(?,?), ref: 0041C18A
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041C040,?,000000FF,00000000,00000000), ref: 0041C218
                                                • __dosmaperr.LIBCMT ref: 0041C21F
                                                • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0041C25C
                                                  • Part of subcall function 0041C484: __dosmaperr.LIBCMT ref: 0041C4B9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                • String ID:
                                                • API String ID: 1206951868-0
                                                • Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
                                                • Instruction ID: 0071a9752275d4edb8b9c21b1954eb469a97b67ce05b4548820d0adabff3a4d5
                                                • Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
                                                • Instruction Fuzzy Hash: B7413C75940204AFDB249FA5DC859EFBBF9EF89700B00452EF856D3610E7389885CB24
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,021CC2A7), ref: 021CC397
                                                • GetFileInformationByHandle.KERNEL32(?,?), ref: 021CC3F1
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,021CC2A7,?,000000FF,00000000,00000000), ref: 021CC47F
                                                • __dosmaperr.LIBCMT ref: 021CC486
                                                • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 021CC4C3
                                                  • Part of subcall function 021CC6EB: __dosmaperr.LIBCMT ref: 021CC720
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                • String ID:
                                                • API String ID: 1206951868-0
                                                • Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
                                                • Instruction ID: 095a0639748e8f1af754a71bebad302c41c4302659f82edfba6c0374ac809f72
                                                • Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
                                                • Instruction Fuzzy Hash: B3414F79940204AFDB24EFB5DC449BFBBF9EF58700B24852EE85AD3610E7309845CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 00422302
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 00422314
                                                • _free.LIBCMT ref: 00422326
                                                • _free.LIBCMT ref: 00422338
                                                • _free.LIBCMT ref: 0042234A
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
                                                • Instruction ID: 8eed935d1f0a41e2b9dbe60b1656bd2ba3e28f3ae1fefd92f9cbf16fd4f54630
                                                • Opcode Fuzzy Hash: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
                                                • Instruction Fuzzy Hash: 04F04472501210B78520DBA6F6C2C4B73DAAB94355794180AF809D7641C77CFD81866C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CloseOpenQueryValue
                                                • String ID: #
                                                • API String ID: 3677997916-1885708031
                                                • Opcode ID: 4d26a9903dbf7e4ba4290750e16a9ab8299c95c43a50e3bd25ecedede5d2791d
                                                • Instruction ID: 413e0f059d992d56470604fc557ea71ffbc97bded595905dfeff37c00012e68e
                                                • Opcode Fuzzy Hash: 4d26a9903dbf7e4ba4290750e16a9ab8299c95c43a50e3bd25ecedede5d2791d
                                                • Instruction Fuzzy Hash: 4E12B170940288DFEB15DF68C958BDDBFB6AF55308F608198D804673C1D7B95A88CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID: *?
                                                • API String ID: 269201875-2564092906
                                                • Opcode ID: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
                                                • Instruction ID: 7415b14c5d0124b7c9719d17695bca9e12f23279d28e73ebbb8fdbf8e8460f59
                                                • Opcode Fuzzy Hash: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
                                                • Instruction Fuzzy Hash: 5661A1B5E002299FCB14CFA9D8815EEFBF5EF48314B54816AE805F7301E735AE418B94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\Desktop\7cduUYXDtl.exe$X3Z
                                                • API String ID: 0-1489364995
                                                • Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
                                                • Instruction ID: d066e180b9c7d1272e7bf77fa423bf521fbca1e855100b1807d671715baaae7d
                                                • Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
                                                • Instruction Fuzzy Hash: 6E417379E80214AFDB15EF99EC84AAEBBF9EF99310B24407EE40597350D7719A40CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • RtlEncodePointer.NTDLL(00000000), ref: 021CA169
                                                • CatchIt.LIBVCRUNTIME ref: 021CA24F
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CatchEncodePointer
                                                • String ID: MOC$RCC
                                                • API String ID: 1435073870-2084237596
                                                • Opcode ID: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
                                                • Instruction ID: 3f610f626612548ad6029732c0adcadef81e1dab14aabb72e33c5a240d1f71fc
                                                • Opcode Fuzzy Hash: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
                                                • Instruction Fuzzy Hash: 7F41677994021DEFCF16CF98CD81AAEBBB6BF58304F248199F904A7264D3369960DF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: AdjustPointer
                                                • String ID:
                                                • API String ID: 1740715915-0
                                                • Opcode ID: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
                                                • Instruction ID: a8cd01a110c9a5ba9b93cdf8b6ca506de852c713b8af7688bfec1274bd28d331
                                                • Opcode Fuzzy Hash: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
                                                • Instruction Fuzzy Hash: 3251D0B2601286AFDB298F15D861BEA77A4EF04314F24012FE84646391E739ECC1C799
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetVersionExW.KERNEL32(0000011C,?,00439008,00000000), ref: 021B56E0
                                                • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 021B5747
                                                • GetProcAddress.KERNEL32(00000000), ref: 021B574E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AddressHandleModuleProcVersion
                                                • String ID:
                                                • API String ID: 3310240892-0
                                                • Opcode ID: ddc787008df3d19dcf6ff3ff6324906e599249e81a3a5c2a1838fed2653284d0
                                                • Instruction ID: 78b22c3cffd2a0a7609933017eecf9e54febb24cb3eb61e68da7be5976e7784a
                                                • Opcode Fuzzy Hash: ddc787008df3d19dcf6ff3ff6324906e599249e81a3a5c2a1838fed2653284d0
                                                • Instruction Fuzzy Hash: 8B514571E40208AFDB25DB28DD897DDBB76EF45310FD042B8E804A7380EB358A848F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 00425FDE
                                                • _free.LIBCMT ref: 00426007
                                                • SetEndOfFile.KERNEL32(00000000,0042354B,00000000,?,?,?,?,?,?,?,?,0042354B,?,00000000), ref: 00426039
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,0042354B,?,00000000,?,?,?,?,?), ref: 00426055
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFileLast
                                                • String ID:
                                                • API String ID: 1547350101-0
                                                • Opcode ID: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
                                                • Instruction ID: 61c1fed18fa2e053e229d2c366b1320fca6b3d495f3fb51fd3c042a4ee27fee9
                                                • Opcode Fuzzy Hash: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
                                                • Instruction Fuzzy Hash: 6C413E72B006115BDB11ABB5ED41B8E37B6AF44364F560017F424E72D2EB7CC840576D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 021D6245
                                                • _free.LIBCMT ref: 021D626E
                                                • SetEndOfFile.KERNEL32(00000000,021D37B2,00000000,021CE6A5,?,?,?,?,?,?,?,021D37B2,021CE6A5,00000000), ref: 021D62A0
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,021D37B2,021CE6A5,00000000,?,?,?,?,00000000), ref: 021D62BC
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: _free$ErrorFileLast
                                                • String ID:
                                                • API String ID: 1547350101-0
                                                • Opcode ID: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
                                                • Instruction ID: 8047bc7e0309d8f3f9837bddf6b3af7b19cca839719b90d4772e396396748b96
                                                • Opcode Fuzzy Hash: 005ab2c57f032726cdaaa7f9df82d6b6984aac1401b59b4031c376f8f621a61a
                                                • Instruction Fuzzy Hash: B441D3769C0284EFDF25AFB8EC01B9E377EEF54360F250615E418A7290EB34D8448B61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                  • Part of subcall function 0041BD6F: _free.LIBCMT ref: 0041BD7D
                                                  • Part of subcall function 004218BF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425A80,?,00000000,00000000), ref: 00421961
                                                • GetLastError.KERNEL32 ref: 00420950
                                                • __dosmaperr.LIBCMT ref: 00420957
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00420996
                                                • __dosmaperr.LIBCMT ref: 0042099D
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                • String ID:
                                                • API String ID: 167067550-0
                                                • Opcode ID: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
                                                • Instruction ID: 91911ec1de34df9e01eb008ea9a24e12f878ac442d2ad626700c96a69c790fc9
                                                • Opcode Fuzzy Hash: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
                                                • Instruction Fuzzy Hash: 2721F0B1700225AFA710AF62ACC196B77EDEF00374790851AF86697253D738DCC08B94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
                                                • Instruction ID: 98b015018ef2d5211964b89e630427141422cad3b6395727733d8247dfcac183
                                                • Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
                                                • Instruction Fuzzy Hash: 8921F339B81224EBC7319B249C80B2A376AAB21B74F75013BED15A7A91D730EC06C5E4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,?,0041BCED,00000000,?,?,?,0041BE86,?), ref: 0041EE97
                                                • _free.LIBCMT ref: 0041EEF4
                                                • _free.LIBCMT ref: 0041EF2A
                                                • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,0041BE86,?), ref: 0041EF35
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
                                                • Instruction ID: 26790fddcd24ef136aadc0cc0bf27d5f777129a8301660e6568487d79e7ca8b5
                                                • Opcode Fuzzy Hash: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
                                                • Instruction Fuzzy Hash: 2411CA3A6002017AD61427B79CC59EB256997C1779B25013BFD39832D2FE6D8CDB811D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,?,021CBF54,00000000,?,?,?,021CC0ED,?), ref: 021CF0FE
                                                • _free.LIBCMT ref: 021CF15B
                                                • _free.LIBCMT ref: 021CF191
                                                • SetLastError.KERNEL32(00000000,004390F8,000000FF,?,?,?,021CC0ED,?), ref: 021CF19C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
                                                • Instruction ID: 0754d6b0aad111c6a28f68d6f3c076544a6ebe3be3c0e791ccb81c147eaa0f99
                                                • Opcode Fuzzy Hash: 120db594496689011f9c139fa4ddd92dcfd12b70a1cc6502b103967e01bc71cb
                                                • Instruction Fuzzy Hash: 5A11367E2C01016EC6143BB4DCC496B266BCBE0374B32013FF52582AE0EF618D174590
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,0041C755,0041EACD,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EFEE
                                                • _free.LIBCMT ref: 0041F04B
                                                • _free.LIBCMT ref: 0041F081
                                                • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041F08C
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
                                                • Instruction ID: d1a755533480a66cbcbdd6da6f61a8fcfdc6096e1f08231a3cc2ec091d2cf52b
                                                • Opcode Fuzzy Hash: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
                                                • Instruction Fuzzy Hash: FB114C322045016AC7102B76ACC1DEB2969DBC8778765023BF92A822E3EF6CCCDF511C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,021CC9BC,021CED34,?,?,021C943A,?,?,?,?,?,021B235A,?,?), ref: 021CF255
                                                • _free.LIBCMT ref: 021CF2B2
                                                • _free.LIBCMT ref: 021CF2E8
                                                • SetLastError.KERNEL32(00000000,004390F8,000000FF,?,?,021C943A,?,?,?,?,?,021B235A,?,?), ref: 021CF2F3
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
                                                • Instruction ID: 58232ca8460e935bdd390e6a6b6f2d1617488b520e410866b9390cef6b41bc83
                                                • Opcode Fuzzy Hash: 048b735e334959feaa5e4ce77df0ba5808e7239d9d4b1868442944ab324b2044
                                                • Instruction Fuzzy Hash: CE11293E2C42116EDA1527789CC0DAA216BD7E0375B72023FF926829E4EF61CC578594
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041F7E1
                                                • GetLastError.KERNEL32(?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104,?), ref: 0041F7EB
                                                • __dosmaperr.LIBCMT ref: 0041F7F2
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ErrorFullLastNamePath__dosmaperr
                                                • String ID:
                                                • API String ID: 2398240785-0
                                                • Opcode ID: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
                                                • Instruction ID: 3e1febbc0a8defaca1089d50814ae8bcfad4f789bcb8220d5dd2739c2ed7ebaf
                                                • Opcode Fuzzy Hash: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
                                                • Instruction Fuzzy Hash: 1DF06D36600115BB8B202FA2DD08C9BBFA9FF443A03444136F52DC7561DB35E8A6CBE8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001), ref: 0041F84A
                                                • GetLastError.KERNEL32(?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104), ref: 0041F854
                                                • __dosmaperr.LIBCMT ref: 0041F85B
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ErrorFullLastNamePath__dosmaperr
                                                • String ID:
                                                • API String ID: 2398240785-0
                                                • Opcode ID: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
                                                • Instruction ID: 5356ccb821a571137923583999cca56af5607f561d8780d9d137012589ba4a16
                                                • Opcode Fuzzy Hash: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
                                                • Instruction Fuzzy Hash: FBF01231600115BB8B207BA6DC0499BBFA9FF443A03404536F52DC6521C735E8A6DBD4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,00405880,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880), ref: 004272E6
                                                • GetLastError.KERNEL32(?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880,?,0042436F,00405880), ref: 004272F2
                                                  • Part of subcall function 004272B8: CloseHandle.KERNEL32(FFFFFFFE,00427302,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880), ref: 004272C8
                                                • ___initconout.LIBCMT ref: 00427302
                                                  • Part of subcall function 0042727A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004272A9,004269D4,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 0042728D
                                                • WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 00427317
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                • String ID:
                                                • API String ID: 2744216297-0
                                                • Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
                                                • Instruction ID: 5b8baa1da4bb66d128bbbdf819d740daca6d0282673a7c9b135cb97f91750bdc
                                                • Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
                                                • Instruction Fuzzy Hash: 46F01C36201129FBCF221F95EC04A8A3F66FF093A1B814075FE1C86231D6328820EB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: CreateThread$Sleep
                                                • String ID:
                                                • API String ID: 422425972-0
                                                • Opcode ID: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
                                                • Instruction ID: 3e58bb4c01d1f945cb402fb00719d76fe511b7683de936d62f19d1048555ce50
                                                • Opcode Fuzzy Hash: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
                                                • Instruction Fuzzy Hash: 69E09231BE8334B6F47126A45C03F891E545B08F95FB20023B70CBE4D084C87485CAEE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • std::_Xinvalid_argument.LIBCPMT ref: 00412FEF
                                                  • Part of subcall function 00416F50: Concurrency::cancel_current_task.LIBCPMT ref: 00417083
                                                Strings
                                                • stoi argument out of range, xrefs: 00412FF9
                                                • invalid stoi argument, xrefs: 00412FEA
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
                                                • String ID: invalid stoi argument$stoi argument out of range
                                                • API String ID: 3646673767-1606216832
                                                • Opcode ID: 050e6ca51479918143ee8ec0ef84eb66a48c69742fddbd145cb43d031d79236e
                                                • Instruction ID: 6d18bec53ddcbea06decae191a6eae5fb5e1180c669e5708db714ed38e612d95
                                                • Opcode Fuzzy Hash: 050e6ca51479918143ee8ec0ef84eb66a48c69742fddbd145cb43d031d79236e
                                                • Instruction Fuzzy Hash: 60E1D171A001189BEF28DF28CE857DDBB72EB46304F50819EE419972C1DB799AD1CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 021C9776
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 021C982A
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310346113.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_21b0000_7cduUYXDtl.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 3480331319-1018135373
                                                • Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
                                                • Instruction ID: b038579885accfb925aca2e9edefcec9f5b17973998a76435da9b59f063da29e
                                                • Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
                                                • Instruction Fuzzy Hash: F441D638A40258AFCF10DF68C884AAEBBB5FF54318F248479E8145B391D731D915CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00419F02
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: EncodePointer
                                                • String ID: MOC$RCC
                                                • API String ID: 2118026453-2084237596
                                                • Opcode ID: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
                                                • Instruction ID: ef4240616421f5d170a5d1c4fd7b0d446090a164c11462a96303fe54a6744129
                                                • Opcode Fuzzy Hash: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
                                                • Instruction Fuzzy Hash: 5C414872900209EFCF16DF98C981AEEBBB5FF48304F18819AF904A7251D3399DA1DB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 00421CC7
                                                • _free.LIBCMT ref: 00421CF5
                                                  • Part of subcall function 0041DD06: IsProcessorFeaturePresent.KERNEL32(00000017,0041EF4E,?,?,?,0041BE86,?), ref: 0041DD22
                                                  • Part of subcall function 0041CC59: IsProcessorFeaturePresent.KERNEL32(00000017,0041CC2B,?,?,?,?,?,00000016,?,0041CC38,00000000,00000000,00000000,00000000,00000000,0041DD77), ref: 0041CC5B
                                                  • Part of subcall function 0041CC59: GetCurrentProcess.KERNEL32(C0000417), ref: 0041CC7E
                                                  • Part of subcall function 0041CC59: TerminateProcess.KERNEL32(00000000), ref: 0041CC85
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
                                                • String ID: HZ
                                                • API String ID: 1729132349-879387849
                                                • Opcode ID: 0f36dddd8b4ee7bd80d979806f6699cf8434447909bf8933e8c9f37e99733de7
                                                • Instruction ID: fb96563ff89630bf3c4fa0cd8806ccd045e69199b4ab4989cf5e03b4162a4e50
                                                • Opcode Fuzzy Hash: 0f36dddd8b4ee7bd80d979806f6699cf8434447909bf8933e8c9f37e99733de7
                                                • Instruction Fuzzy Hash: 55216779B44211ABEB159FA6F884BA733A9DFA4314F64007FE804C7262EB79D841C748
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00412D18
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: FileModuleName
                                                • String ID: .$5120
                                                • API String ID: 514040917-2446372808
                                                • Opcode ID: f99830547a012116d5b52b04e72eafd6a293cbb33d9ac81bb1d8b6fc8795619a
                                                • Instruction ID: 9696d8c15566c1d42fadb68592e21f39738dfdc301de5d2260ec8dd83da14f2d
                                                • Opcode Fuzzy Hash: f99830547a012116d5b52b04e72eafd6a293cbb33d9ac81bb1d8b6fc8795619a
                                                • Instruction Fuzzy Hash: D421E2B09002489BDB14EF69C90A7DD7FB49F06348F5001CEE44567282D7B99A498BE7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                  • Part of subcall function 0041FDF2: EnterCriticalSection.KERNEL32(00405880,?,00424223,00405880,00437D48,00000010,0041EA11,00000000,C032C301,00000000,00000000,00405880,?,0041BB1A,00405880,00000000), ref: 0041FE0D
                                                • FlushFileBuffers.KERNEL32(00000000,00437D28,0000000C,00423A2E,nA,?,00000001,?,0041E96E,?), ref: 00423970
                                                • GetLastError.KERNEL32 ref: 00423981
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                                                • String ID: nA
                                                • API String ID: 4109680722-4035868545
                                                • Opcode ID: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
                                                • Instruction ID: 0418fce989e2f534913a4f38d2ce8aa3e5464a19317c2ea272403c313fbf0c0e
                                                • Opcode Fuzzy Hash: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
                                                • Instruction Fuzzy Hash: 45018076B002108FC714AF69E90569D7BB5AF49724F50412FF4219B3D2DBBC9982CB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.310039188.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000000.00000002.310091436.000000000043E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_400000_7cduUYXDtl.jbxd
                                                Similarity
                                                • API ID: CommandLine
                                                • String ID: X3Z
                                                • API String ID: 3253501508-3795549120
                                                • Opcode ID: 763540b409d2f59638321d6ad6c58e5475a13b84e75f291d525d9f5e2255dcd8
                                                • Instruction ID: 75fcc70df7de8c95f4d97ac528dce34a6a2d18f8ef6a6ec30f935ab3d3f366a5
                                                • Opcode Fuzzy Hash: 763540b409d2f59638321d6ad6c58e5475a13b84e75f291d525d9f5e2255dcd8
                                                • Instruction Fuzzy Hash: CDB09278940200CFC7108F78F80C0253BB0B7086123C07076D841C2330EA35082ACF0A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:1.3%
                                                Dynamic/Decrypted Code Coverage:14.8%
                                                Signature Coverage:0.5%
                                                Total number of Nodes:1322
                                                Total number of Limit Nodes:11
                                                execution_graph 17911 408650 17912 408666 17911->17912 17912->17911 17914 4086a2 CreateMutexW GetLastError 17912->17914 17962 417a50 17912->17962 17916 4086c8 17914->17916 17915 408737 17975 418152 17915->17975 17916->17915 17918 408764 17916->17918 17982 41cc3c 17918->17982 17919 408759 17964 417a73 17962->17964 17973 417ac7 __wsopen_s 17962->17973 17963 41cc3c 25 API calls 17967 417b9e 17963->17967 17965 417b8f 17964->17965 17968 417ae0 17964->17968 17969 417ab6 17964->17969 18001 402180 17965->18001 17968->17973 17987 41835e 17968->17987 17969->17965 17970 417ac1 17969->17970 17971 41835e 27 API calls 17970->17971 17971->17973 17973->17963 17974 417b4f __wsopen_s 17973->17974 17974->17912 17976 41815b 17975->17976 17977 41815d IsProcessorFeaturePresent 17975->17977 17976->17919 17979 41819f 17977->17979 18241 418163 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17979->18241 17981 418282 17981->17919 17983 41cbc8 ___std_exception_copy 25 API calls 17982->17983 17984 41cc4b 17983->17984 17985 41cc59 ___std_exception_copy 11 API calls 17984->17985 17986 41cc58 17985->17986 17989 418363 17987->17989 17990 41837d 17989->17990 17992 41837f 17989->17992 18007 41cc8d 17989->18007 18025 41cca7 17989->18025 17990->17973 17993 402180 Concurrency::cancel_current_task 17992->17993 17994 418389 17992->17994 18014 4193e4 17993->18014 17996 4193e4 std::_Xinvalid_argument RaiseException 17994->17996 17998 418886 17996->17998 17997 40219c 18017 4191a9 17997->18017 18002 40218e Concurrency::cancel_current_task 18001->18002 18003 4193e4 std::_Xinvalid_argument RaiseException 18002->18003 18004 40219c 18003->18004 18005 4191a9 ___std_exception_copy 26 API calls 18004->18005 18006 4021c3 18005->18006 18006->17973 18012 41ea8a _unexpected 18007->18012 18008 41eac8 18028 41c750 18008->18028 18009 41eab3 RtlAllocateHeap 18011 41eac6 18009->18011 18009->18012 18011->17989 18012->18008 18012->18009 18013 41cca7 _unexpected 2 API calls 18012->18013 18013->18012 18015 41942e RaiseException 18014->18015 18016 4193fe 18014->18016 18015->17997 18016->18015 18018 4191b6 18017->18018 18024 4021c3 18017->18024 18019 41cc8d ___std_exception_copy 15 API calls 18018->18019 18018->18024 18021 4191d3 18019->18021 18020 4191e3 18206 41ca42 18020->18206 18021->18020 18197 41dd4a 18021->18197 18024->17973 18230 41ccd4 18025->18230 18031 41efe9 GetLastError 18028->18031 18030 41c755 18030->18011 18032 41f000 18031->18032 18035 41f006 18031->18035 18054 41f3d0 18032->18054 18051 41f00c SetLastError 18035->18051 18059 41f40f 18035->18059 18040 41f053 18042 41f40f _unexpected 6 API calls 18040->18042 18041 41f03c 18043 41f40f _unexpected 6 API calls 18041->18043 18044 41f05f 18042->18044 18045 41f04a 18043->18045 18046 41f063 18044->18046 18047 41f074 18044->18047 18071 41e5a1 18045->18071 18049 41f40f _unexpected 6 API calls 18046->18049 18077 41ecc0 18047->18077 18049->18045 18051->18030 18053 41e5a1 _free 12 API calls 18053->18051 18082 41f213 18054->18082 18056 41f3ec 18057 41f3f5 18056->18057 18058 41f407 TlsGetValue 18056->18058 18057->18035 18060 41f213 _unexpected 5 API calls 18059->18060 18061 41f42b 18060->18061 18062 41f024 18061->18062 18063 41f449 TlsSetValue 18061->18063 18062->18051 18064 420873 18062->18064 18069 420880 _unexpected 18064->18069 18065 4208c0 18068 41c750 _free 13 API calls 18065->18068 18066 4208ab RtlAllocateHeap 18067 41f034 18066->18067 18066->18069 18067->18040 18067->18041 18068->18067 18069->18065 18069->18066 18070 41cca7 _unexpected 2 API calls 18069->18070 18070->18069 18072 41e5d5 _free 18071->18072 18073 41e5ac HeapFree 18071->18073 18072->18051 18073->18072 18074 41e5c1 18073->18074 18075 41c750 _free 12 API calls 18074->18075 18076 41e5c7 GetLastError 18075->18076 18076->18072 18095 41eb54 18077->18095 18083 41f241 18082->18083 18087 41f23d _unexpected 18082->18087 18083->18087 18088 41f14c 18083->18088 18086 41f25b GetProcAddress 18086->18087 18087->18056 18093 41f15d ___vcrt_FlsSetValue 18088->18093 18089 41f17b LoadLibraryExW 18090 41f196 GetLastError 18089->18090 18089->18093 18090->18093 18091 41f1f1 FreeLibrary 18091->18093 18092 41f208 18092->18086 18092->18087 18093->18089 18093->18091 18093->18092 18094 41f1c9 LoadLibraryExW 18093->18094 18094->18093 18096 41eb60 CallCatchBlock 18095->18096 18109 41dea3 EnterCriticalSection 18096->18109 18098 41eb6a 18110 41eb9a 18098->18110 18101 41ec66 18102 41ec72 CallCatchBlock 18101->18102 18114 41dea3 EnterCriticalSection 18102->18114 18104 41ec7c 18115 41ee47 18104->18115 18106 41ec94 18119 41ecb4 18106->18119 18109->18098 18113 41deeb LeaveCriticalSection 18110->18113 18112 41eb88 18112->18101 18113->18112 18114->18104 18116 41ee56 _unexpected 18115->18116 18118 41ee7d _unexpected 18115->18118 18116->18118 18122 42260f 18116->18122 18118->18106 18196 41deeb LeaveCriticalSection 18119->18196 18121 41eca2 18121->18053 18123 42268f 18122->18123 18126 422625 18122->18126 18124 4226dd 18123->18124 18127 41e5a1 _free 14 API calls 18123->18127 18190 422780 18124->18190 18126->18123 18128 422658 18126->18128 18133 41e5a1 _free 14 API calls 18126->18133 18129 4226b1 18127->18129 18130 42267a 18128->18130 18138 41e5a1 _free 14 API calls 18128->18138 18131 41e5a1 _free 14 API calls 18129->18131 18132 41e5a1 _free 14 API calls 18130->18132 18134 4226c4 18131->18134 18135 422684 18132->18135 18137 42264d 18133->18137 18139 41e5a1 _free 14 API calls 18134->18139 18140 41e5a1 _free 14 API calls 18135->18140 18136 42274b 18141 41e5a1 _free 14 API calls 18136->18141 18150 4221ec 18137->18150 18143 42266f 18138->18143 18144 4226d2 18139->18144 18140->18123 18145 422751 18141->18145 18178 4222ea 18143->18178 18148 41e5a1 _free 14 API calls 18144->18148 18145->18118 18146 4226eb 18146->18136 18149 41e5a1 14 API calls _free 18146->18149 18148->18124 18149->18146 18151 4222e6 18150->18151 18152 4221fd 18150->18152 18151->18128 18153 42220e 18152->18153 18154 41e5a1 _free 14 API calls 18152->18154 18155 422220 18153->18155 18157 41e5a1 _free 14 API calls 18153->18157 18154->18153 18156 422232 18155->18156 18158 41e5a1 _free 14 API calls 18155->18158 18159 422244 18156->18159 18160 41e5a1 _free 14 API calls 18156->18160 18157->18155 18158->18156 18161 422256 18159->18161 18162 41e5a1 _free 14 API calls 18159->18162 18160->18159 18163 422268 18161->18163 18165 41e5a1 _free 14 API calls 18161->18165 18162->18161 18164 42227a 18163->18164 18166 41e5a1 _free 14 API calls 18163->18166 18167 42228c 18164->18167 18168 41e5a1 _free 14 API calls 18164->18168 18165->18163 18166->18164 18169 42229e 18167->18169 18170 41e5a1 _free 14 API calls 18167->18170 18168->18167 18171 4222b0 18169->18171 18173 41e5a1 _free 14 API calls 18169->18173 18170->18169 18172 4222c2 18171->18172 18174 41e5a1 _free 14 API calls 18171->18174 18175 4222d4 18172->18175 18176 41e5a1 _free 14 API calls 18172->18176 18173->18171 18174->18172 18175->18151 18177 41e5a1 _free 14 API calls 18175->18177 18176->18175 18177->18151 18179 42234f 18178->18179 18180 4222f7 18178->18180 18179->18130 18181 422307 18180->18181 18183 41e5a1 _free 14 API calls 18180->18183 18182 422319 18181->18182 18184 41e5a1 _free 14 API calls 18181->18184 18185 42232b 18182->18185 18186 41e5a1 _free 14 API calls 18182->18186 18183->18181 18184->18182 18187 42233d 18185->18187 18188 41e5a1 _free 14 API calls 18185->18188 18186->18185 18187->18179 18189 41e5a1 _free 14 API calls 18187->18189 18188->18187 18189->18179 18191 4227ac 18190->18191 18192 42278d 18190->18192 18191->18146 18192->18191 18193 42238b _unexpected 14 API calls 18192->18193 18194 4227a6 18193->18194 18195 41e5a1 _free 14 API calls 18194->18195 18195->18191 18196->18121 18198 41dd57 18197->18198 18199 41dd65 18197->18199 18198->18199 18204 41dd7c 18198->18204 18200 41c750 _free 14 API calls 18199->18200 18201 41dd6d 18200->18201 18209 41cc2c 18201->18209 18203 41dd77 18203->18020 18204->18203 18205 41c750 _free 14 API calls 18204->18205 18205->18201 18207 41e5a1 _free 14 API calls 18206->18207 18208 41ca5a 18207->18208 18208->18024 18212 41cbc8 18209->18212 18211 41cc38 18211->18203 18213 41efe9 __dosmaperr 14 API calls 18212->18213 18214 41cbd3 18213->18214 18218 41cbe1 18214->18218 18220 41cc59 IsProcessorFeaturePresent 18214->18220 18216 41cc2b 18217 41cbc8 ___std_exception_copy 25 API calls 18216->18217 18219 41cc38 18217->18219 18218->18211 18219->18211 18221 41cc65 18220->18221 18224 41ca80 18221->18224 18225 41ca9c ___scrt_fastfail 18224->18225 18226 41cac8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18225->18226 18229 41cb99 ___scrt_fastfail 18226->18229 18227 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18228 41cbb7 GetCurrentProcess TerminateProcess 18227->18228 18228->18216 18229->18227 18231 41cce0 CallCatchBlock 18230->18231 18236 41dea3 EnterCriticalSection 18231->18236 18233 41cceb 18237 41cd27 18233->18237 18236->18233 18240 41deeb LeaveCriticalSection 18237->18240 18239 41ccb2 18239->17989 18240->18239 18241->17981 18242 87ea9e 18243 87eaad 18242->18243 18246 87f23e 18243->18246 18251 87f259 18246->18251 18247 87f262 CreateToolhelp32Snapshot 18248 87f27e Module32First 18247->18248 18247->18251 18249 87f28d 18248->18249 18252 87eab6 18248->18252 18253 87eefd 18249->18253 18251->18247 18251->18248 18254 87ef28 18253->18254 18255 87ef71 18254->18255 18256 87ef39 VirtualAlloc 18254->18256 18255->18255 18256->18255 18257 4186de 18258 4186ea CallCatchBlock 18257->18258 18283 418404 18258->18283 18260 4186f1 18261 41884a 18260->18261 18269 41871b ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 18260->18269 18334 418a67 IsProcessorFeaturePresent 18261->18334 18263 418851 18309 41b9ff 18263->18309 18268 41873a 18269->18268 18272 4187bb 18269->18272 18312 41b9d9 18269->18312 18294 41d42b 18272->18294 18273 4187c1 18298 416830 18273->18298 18284 41840d 18283->18284 18341 418887 IsProcessorFeaturePresent 18284->18341 18288 41841e 18293 418422 18288->18293 18351 41d897 18288->18351 18291 418439 18291->18260 18293->18260 18295 41d434 18294->18295 18296 41d439 18294->18296 18477 41d18f 18295->18477 18296->18273 18299 41683e 18298->18299 18300 416843 18299->18300 18870 406510 GetModuleFileNameA 18300->18870 18302 416861 18876 4138b0 18302->18876 19494 41b89d 18309->19494 18313 41dc6b CallCatchBlock 18312->18313 18314 41b9ef _unexpected 18312->18314 18315 41ee92 _unexpected 37 API calls 18313->18315 18314->18272 18317 41dc7c 18315->18317 18316 41dd06 IsInExceptionSpec 37 API calls 18318 41dca6 18316->18318 18317->18316 18319 41c750 _free 14 API calls 18318->18319 18322 41dce5 18318->18322 18320 41dcdb 18319->18320 18321 41cc2c ___std_exception_copy 25 API calls 18320->18321 18321->18322 18322->18272 18335 418a7c ___scrt_fastfail 18334->18335 18336 418b27 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18335->18336 18337 418b72 ___scrt_fastfail 18336->18337 18337->18263 18338 41b9c3 18339 41b89d __CreateFrameInfo 23 API calls 18338->18339 18340 41885f 18339->18340 18342 418419 18341->18342 18343 419450 18342->18343 18360 41a6b9 18343->18360 18346 419459 18346->18288 18348 419461 18349 41946c 18348->18349 18374 41a6f5 18348->18374 18349->18288 18415 421e17 18351->18415 18354 41946f 18355 419482 18354->18355 18356 419478 18354->18356 18355->18293 18357 4198b5 ___vcrt_uninitialize_ptd 6 API calls 18356->18357 18358 41947d 18357->18358 18359 41a6f5 ___vcrt_uninitialize_locks DeleteCriticalSection 18358->18359 18359->18355 18361 41a6c2 18360->18361 18363 41a6eb 18361->18363 18364 419455 18361->18364 18378 41aa7b 18361->18378 18365 41a6f5 ___vcrt_uninitialize_locks DeleteCriticalSection 18363->18365 18364->18346 18366 419882 18364->18366 18365->18364 18396 41a98c 18366->18396 18371 4198b2 18371->18348 18373 419897 18373->18348 18375 41a71f 18374->18375 18376 41a700 18374->18376 18375->18346 18377 41a70a DeleteCriticalSection 18376->18377 18377->18375 18377->18377 18383 41a943 18378->18383 18381 41aab3 InitializeCriticalSectionAndSpinCount 18382 41aa9e 18381->18382 18382->18361 18384 41a95b 18383->18384 18388 41a97e 18383->18388 18384->18388 18389 41a897 18384->18389 18387 41a970 GetProcAddress 18387->18388 18388->18381 18388->18382 18392 41a8a6 ___vcrt_FlsSetValue 18389->18392 18390 41a938 18390->18387 18390->18388 18391 41a8bf LoadLibraryExW 18391->18392 18393 41a8da GetLastError 18391->18393 18392->18390 18392->18391 18394 41a921 FreeLibrary 18392->18394 18395 41a8f9 LoadLibraryExW 18392->18395 18393->18392 18394->18392 18395->18392 18397 41a943 ___vcrt_FlsSetValue 5 API calls 18396->18397 18398 41a9a6 18397->18398 18399 41a9bf TlsAlloc 18398->18399 18400 41988c 18398->18400 18400->18373 18401 41aa3d 18400->18401 18402 41a943 ___vcrt_FlsSetValue 5 API calls 18401->18402 18403 41aa57 18402->18403 18404 41aa72 TlsSetValue 18403->18404 18405 4198a5 18403->18405 18404->18405 18405->18371 18406 4198b5 18405->18406 18407 4198bf 18406->18407 18409 4198c5 18406->18409 18410 41a9c7 18407->18410 18409->18373 18411 41a943 ___vcrt_FlsSetValue 5 API calls 18410->18411 18412 41a9e1 18411->18412 18413 41a9f9 TlsFree 18412->18413 18414 41a9ed 18412->18414 18413->18414 18414->18409 18416 421e27 18415->18416 18417 41842b 18415->18417 18416->18417 18419 4204db 18416->18419 18417->18291 18417->18354 18420 4204e7 CallCatchBlock 18419->18420 18431 41dea3 EnterCriticalSection 18420->18431 18422 4204ee 18432 41fd54 18422->18432 18425 42050c 18456 420532 18425->18456 18431->18422 18433 41fd60 CallCatchBlock 18432->18433 18434 41fd69 18433->18434 18435 41fd8a 18433->18435 18436 41c750 _free 14 API calls 18434->18436 18459 41dea3 EnterCriticalSection 18435->18459 18438 41fd6e 18436->18438 18439 41cc2c ___std_exception_copy 25 API calls 18438->18439 18441 41fd78 18439->18441 18441->18425 18445 420371 GetStartupInfoW 18441->18445 18443 41fdc2 18467 41fde9 18443->18467 18444 41fd96 18444->18443 18460 41fca4 18444->18460 18446 420422 18445->18446 18447 42038e 18445->18447 18451 420427 18446->18451 18447->18446 18448 41fd54 26 API calls 18447->18448 18450 4203b6 18448->18450 18449 4203e6 GetFileType 18449->18450 18450->18446 18450->18449 18452 42042e 18451->18452 18453 420471 GetStdHandle 18452->18453 18454 4204d7 18452->18454 18455 420484 GetFileType 18452->18455 18453->18452 18454->18425 18455->18452 18476 41deeb LeaveCriticalSection 18456->18476 18458 42051d 18458->18416 18459->18444 18461 420873 _unexpected 14 API calls 18460->18461 18464 41fcb6 18461->18464 18462 41fcc3 18463 41e5a1 _free 14 API calls 18462->18463 18465 41fd18 18463->18465 18464->18462 18470 41f451 18464->18470 18465->18444 18475 41deeb LeaveCriticalSection 18467->18475 18469 41fdf0 18469->18441 18471 41f213 _unexpected 5 API calls 18470->18471 18472 41f46d 18471->18472 18473 41f48b InitializeCriticalSectionAndSpinCount 18472->18473 18474 41f476 18472->18474 18473->18474 18474->18464 18475->18469 18476->18458 18478 41d198 18477->18478 18481 41d1ae 18477->18481 18478->18481 18483 41d1bb 18478->18483 18480 41d1a5 18480->18481 18496 41d30d 18480->18496 18481->18296 18484 41d1c4 18483->18484 18485 41d1c7 18483->18485 18484->18480 18504 421602 18485->18504 18489 41d1d9 18493 41e5a1 _free 14 API calls 18489->18493 18494 41d208 18493->18494 18494->18480 18495 41e5a1 _free 14 API calls 18495->18489 18497 41d37e 18496->18497 18502 41d31c 18496->18502 18497->18481 18498 420873 _unexpected 14 API calls 18498->18502 18499 41d382 18500 41e5a1 _free 14 API calls 18499->18500 18500->18497 18501 4218bf WideCharToMultiByte __wsopen_s 18501->18502 18502->18497 18502->18498 18502->18499 18502->18501 18503 41e5a1 _free 14 API calls 18502->18503 18503->18502 18505 41d1ce 18504->18505 18506 42160b 18504->18506 18510 4219a3 GetEnvironmentStringsW 18505->18510 18539 41ef4f 18506->18539 18511 421a10 18510->18511 18512 4219ba 18510->18512 18513 41d1d3 18511->18513 18514 421a19 FreeEnvironmentStringsW 18511->18514 18515 4218bf __wsopen_s WideCharToMultiByte 18512->18515 18513->18489 18522 41d20e 18513->18522 18514->18513 18516 4219d3 18515->18516 18516->18511 18517 41ea8a __wsopen_s 15 API calls 18516->18517 18518 4219e3 18517->18518 18519 4219fb 18518->18519 18520 4218bf __wsopen_s WideCharToMultiByte 18518->18520 18521 41e5a1 _free 14 API calls 18519->18521 18520->18519 18521->18511 18523 41d223 18522->18523 18524 420873 _unexpected 14 API calls 18523->18524 18534 41d24a 18524->18534 18525 41d2af 18526 41e5a1 _free 14 API calls 18525->18526 18527 41d1e4 18526->18527 18527->18495 18528 420873 _unexpected 14 API calls 18528->18534 18529 41d2b1 18864 41d2de 18529->18864 18530 41dd4a ___std_exception_copy 25 API calls 18530->18534 18533 41d2d1 18536 41cc59 ___std_exception_copy 11 API calls 18533->18536 18534->18525 18534->18528 18534->18529 18534->18530 18534->18533 18537 41e5a1 _free 14 API calls 18534->18537 18535 41e5a1 _free 14 API calls 18535->18525 18538 41d2dd 18536->18538 18537->18534 18540 41ef5a 18539->18540 18544 41ef60 18539->18544 18542 41f3d0 _unexpected 6 API calls 18540->18542 18541 41f40f _unexpected 6 API calls 18543 41ef7a 18541->18543 18542->18544 18545 41ef66 18543->18545 18546 420873 _unexpected 14 API calls 18543->18546 18544->18541 18544->18545 18552 41efdf 18545->18552 18583 41dd06 18545->18583 18548 41ef8a 18546->18548 18550 41ef92 18548->18550 18551 41efa7 18548->18551 18553 41f40f _unexpected 6 API calls 18550->18553 18554 41f40f _unexpected 6 API calls 18551->18554 18564 421449 18552->18564 18556 41ef9e 18553->18556 18555 41efb3 18554->18555 18557 41efb7 18555->18557 18558 41efc6 18555->18558 18561 41e5a1 _free 14 API calls 18556->18561 18559 41f40f _unexpected 6 API calls 18557->18559 18560 41ecc0 _unexpected 14 API calls 18558->18560 18559->18556 18562 41efd1 18560->18562 18561->18545 18563 41e5a1 _free 14 API calls 18562->18563 18563->18545 18672 421562 18564->18672 18569 421475 18569->18505 18573 41e5a1 _free 14 API calls 18575 4214c6 18573->18575 18575->18505 18576 4214b3 18578 41c750 _free 14 API calls 18576->18578 18577 4214ce 18580 4214fa 18577->18580 18581 41e5a1 _free 14 API calls 18577->18581 18579 4214b8 18578->18579 18579->18573 18580->18579 18708 4210e4 18580->18708 18581->18580 18594 421f7e 18583->18594 18586 41dd16 18588 41dd20 IsProcessorFeaturePresent 18586->18588 18593 41dd3f 18586->18593 18589 41dd2c 18588->18589 18591 41ca80 __CreateFrameInfo 8 API calls 18589->18591 18590 41b9c3 __CreateFrameInfo 23 API calls 18592 41dd49 18590->18592 18591->18593 18593->18590 18624 421eb0 18594->18624 18597 421fcc 18598 421fd8 CallCatchBlock 18597->18598 18599 41efe9 __dosmaperr 14 API calls 18598->18599 18603 422005 __CreateFrameInfo 18598->18603 18604 421fff __CreateFrameInfo 18598->18604 18599->18604 18600 42204a 18601 41c750 _free 14 API calls 18600->18601 18602 42204f 18601->18602 18605 41cc2c ___std_exception_copy 25 API calls 18602->18605 18607 422076 18603->18607 18635 41dea3 EnterCriticalSection 18603->18635 18604->18600 18604->18603 18623 422034 18604->18623 18605->18623 18609 4221b3 18607->18609 18610 4220be 18607->18610 18620 4220e9 18607->18620 18612 4221be 18609->18612 18670 41deeb LeaveCriticalSection 18609->18670 18610->18620 18636 421fc3 18610->18636 18614 41b9c3 __CreateFrameInfo 23 API calls 18612->18614 18616 4221c6 18614->18616 18619 421fc3 __CreateFrameInfo 37 API calls 18619->18620 18639 42215f 18620->18639 18621 42213d 18622 41ee92 _unexpected 37 API calls 18621->18622 18621->18623 18622->18623 18623->18586 18625 421ebc CallCatchBlock 18624->18625 18630 41dea3 EnterCriticalSection 18625->18630 18627 421eca 18631 421f08 18627->18631 18630->18627 18634 41deeb LeaveCriticalSection 18631->18634 18633 41dd0b 18633->18586 18633->18597 18634->18633 18635->18607 18637 41ee92 _unexpected 37 API calls 18636->18637 18638 421fc8 18637->18638 18638->18619 18640 42212e 18639->18640 18641 422165 18639->18641 18640->18621 18640->18623 18643 41ee92 GetLastError 18640->18643 18671 41deeb LeaveCriticalSection 18641->18671 18644 41eeaf 18643->18644 18645 41eea9 18643->18645 18646 41f40f _unexpected 6 API calls 18644->18646 18669 41eeb5 SetLastError 18644->18669 18647 41f3d0 _unexpected 6 API calls 18645->18647 18648 41eecd 18646->18648 18647->18644 18649 420873 _unexpected 14 API calls 18648->18649 18648->18669 18651 41eedd 18649->18651 18652 41eee5 18651->18652 18653 41eefc 18651->18653 18656 41f40f _unexpected 6 API calls 18652->18656 18658 41f40f _unexpected 6 API calls 18653->18658 18654 41ef43 18654->18621 18655 41ef49 18657 41dd06 IsInExceptionSpec 35 API calls 18655->18657 18660 41eef3 18656->18660 18661 41ef4e 18657->18661 18659 41ef08 18658->18659 18662 41ef1d 18659->18662 18663 41ef0c 18659->18663 18666 41e5a1 _free 14 API calls 18660->18666 18665 41ecc0 _unexpected 14 API calls 18662->18665 18664 41f40f _unexpected 6 API calls 18663->18664 18664->18660 18667 41ef28 18665->18667 18666->18669 18668 41e5a1 _free 14 API calls 18667->18668 18668->18669 18669->18654 18669->18655 18670->18612 18671->18640 18673 42156e CallCatchBlock 18672->18673 18674 421588 18673->18674 18716 41dea3 EnterCriticalSection 18673->18716 18676 42145c 18674->18676 18679 41dd06 IsInExceptionSpec 37 API calls 18674->18679 18683 4211f2 18676->18683 18677 4215c4 18717 4215e1 18677->18717 18681 421601 18679->18681 18680 421598 18680->18677 18682 41e5a1 _free 14 API calls 18680->18682 18682->18677 18721 41bcad 18683->18721 18686 421213 GetOEMCP 18688 42123c 18686->18688 18687 421225 18687->18688 18689 42122a GetACP 18687->18689 18688->18569 18690 41ea8a 18688->18690 18689->18688 18691 41eac8 18690->18691 18695 41ea98 _unexpected 18690->18695 18693 41c750 _free 14 API calls 18691->18693 18692 41eab3 RtlAllocateHeap 18694 41eac6 18692->18694 18692->18695 18693->18694 18694->18579 18697 42165d 18694->18697 18695->18691 18695->18692 18696 41cca7 _unexpected 2 API calls 18695->18696 18696->18695 18698 4211f2 39 API calls 18697->18698 18699 42167d 18698->18699 18701 4216b7 IsValidCodePage 18699->18701 18706 4216f3 ___scrt_fastfail 18699->18706 18700 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18702 4214ab 18700->18702 18703 4216c9 18701->18703 18701->18706 18702->18576 18702->18577 18704 4216f8 GetCPInfo 18703->18704 18707 4216d2 ___scrt_fastfail 18703->18707 18704->18706 18704->18707 18706->18700 18763 4212c8 18707->18763 18709 4210f0 CallCatchBlock 18708->18709 18838 41dea3 EnterCriticalSection 18709->18838 18711 4210fa 18839 421131 18711->18839 18716->18680 18720 41deeb LeaveCriticalSection 18717->18720 18719 4215e8 18719->18674 18720->18719 18722 41bcc4 18721->18722 18723 41bccd 18721->18723 18722->18686 18722->18687 18723->18722 18724 41ee92 _unexpected 37 API calls 18723->18724 18725 41bced 18724->18725 18729 41f58b 18725->18729 18730 41bd03 18729->18730 18731 41f59e 18729->18731 18733 41f5b8 18730->18733 18731->18730 18737 42285b 18731->18737 18734 41f5e0 18733->18734 18735 41f5cb 18733->18735 18734->18722 18735->18734 18758 42164a 18735->18758 18738 422867 CallCatchBlock 18737->18738 18739 41ee92 _unexpected 37 API calls 18738->18739 18740 422870 18739->18740 18741 4228b6 18740->18741 18750 41dea3 EnterCriticalSection 18740->18750 18741->18730 18743 42288e 18751 4228dc 18743->18751 18748 41dd06 IsInExceptionSpec 37 API calls 18749 4228db 18748->18749 18750->18743 18752 4228ea _unexpected 18751->18752 18754 42289f 18751->18754 18753 42260f _unexpected 14 API calls 18752->18753 18752->18754 18753->18754 18755 4228bb 18754->18755 18756 41deeb __CreateFrameInfo LeaveCriticalSection 18755->18756 18757 4228b2 18756->18757 18757->18741 18757->18748 18759 41ee92 _unexpected 37 API calls 18758->18759 18760 421654 18759->18760 18761 421562 __fassign 37 API calls 18760->18761 18762 42165a 18761->18762 18762->18734 18764 4212f0 GetCPInfo 18763->18764 18765 4213b9 18763->18765 18764->18765 18770 421308 18764->18770 18766 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18765->18766 18767 421447 18766->18767 18767->18706 18774 42246f 18770->18774 18773 425abe 41 API calls 18773->18765 18775 41bcad __fassign 37 API calls 18774->18775 18776 42248f 18775->18776 18794 41ead8 18776->18794 18778 42254d 18779 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18778->18779 18782 421370 18779->18782 18780 4224bc 18780->18778 18781 41ea8a __wsopen_s 15 API calls 18780->18781 18785 4224e2 __alloca_probe_16 ___scrt_fastfail 18780->18785 18781->18785 18789 425abe 18782->18789 18783 422547 18797 422572 18783->18797 18785->18783 18786 41ead8 __fassign MultiByteToWideChar 18785->18786 18787 422530 18786->18787 18787->18783 18788 422537 GetStringTypeW 18787->18788 18788->18783 18790 41bcad __fassign 37 API calls 18789->18790 18791 425ad1 18790->18791 18801 4258d4 18791->18801 18795 41eae9 MultiByteToWideChar 18794->18795 18795->18780 18798 42258f 18797->18798 18799 42257e 18797->18799 18798->18778 18799->18798 18800 41e5a1 _free 14 API calls 18799->18800 18800->18798 18802 4258ef 18801->18802 18803 41ead8 __fassign MultiByteToWideChar 18802->18803 18806 425933 18803->18806 18804 425a98 18805 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18804->18805 18807 421391 18805->18807 18806->18804 18808 41ea8a __wsopen_s 15 API calls 18806->18808 18812 425958 __alloca_probe_16 18806->18812 18807->18773 18808->18812 18809 41ead8 __fassign MultiByteToWideChar 18810 42599e 18809->18810 18828 4259fd 18810->18828 18829 41f49c 18810->18829 18811 422572 __freea 14 API calls 18811->18804 18812->18809 18812->18828 18815 4259d4 18819 41f49c 6 API calls 18815->18819 18815->18828 18816 425a0c 18817 425a1e __alloca_probe_16 18816->18817 18818 41ea8a __wsopen_s 15 API calls 18816->18818 18820 425a89 18817->18820 18822 41f49c 6 API calls 18817->18822 18818->18817 18819->18828 18821 422572 __freea 14 API calls 18820->18821 18821->18828 18823 425a66 18822->18823 18823->18820 18835 4218bf 18823->18835 18825 425a80 18825->18820 18826 425ab5 18825->18826 18827 422572 __freea 14 API calls 18826->18827 18827->18828 18828->18811 18830 41f118 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 18829->18830 18831 41f4a7 18830->18831 18832 41f4f9 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 18831->18832 18834 41f4ad 18831->18834 18833 41f4ed LCMapStringW 18832->18833 18833->18834 18834->18815 18834->18816 18834->18828 18837 4218d8 WideCharToMultiByte 18835->18837 18837->18825 18838->18711 18849 41fa58 18839->18849 18841 421153 18842 41fa58 25 API calls 18841->18842 18843 421172 18842->18843 18844 421107 18843->18844 18845 41e5a1 _free 14 API calls 18843->18845 18846 421125 18844->18846 18845->18844 18863 41deeb LeaveCriticalSection 18846->18863 18848 421113 18848->18579 18850 41fa69 18849->18850 18853 41fa65 __wsopen_s 18849->18853 18851 41fa70 18850->18851 18855 41fa83 ___scrt_fastfail 18850->18855 18852 41c750 _free 14 API calls 18851->18852 18854 41fa75 18852->18854 18853->18841 18856 41cc2c ___std_exception_copy 25 API calls 18854->18856 18855->18853 18857 41fab1 18855->18857 18859 41faba 18855->18859 18856->18853 18858 41c750 _free 14 API calls 18857->18858 18860 41fab6 18858->18860 18859->18853 18861 41c750 _free 14 API calls 18859->18861 18862 41cc2c ___std_exception_copy 25 API calls 18860->18862 18861->18860 18862->18853 18863->18848 18865 41d2eb 18864->18865 18869 41d2b7 18864->18869 18866 41d302 18865->18866 18867 41e5a1 _free 14 API calls 18865->18867 18868 41e5a1 _free 14 API calls 18866->18868 18867->18865 18868->18869 18869->18535 18871 406560 18870->18871 18871->18871 19027 416f50 18871->19027 18873 406578 18874 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18873->18874 18875 406585 18874->18875 18875->18302 19040 404c60 18876->19040 18883 402220 27 API calls 18884 413909 IsUserAnAdmin 18883->18884 18885 402220 27 API calls 18884->18885 18886 413926 18885->18886 19137 416a90 18886->19137 18888 41394f 19151 402c70 18888->19151 18890 413956 18891 416a90 27 API calls 18890->18891 18892 41396b 18891->18892 18893 402c70 70 API calls 18892->18893 18894 413972 18893->18894 18895 413993 GetUserNameA 18894->18895 18896 4139d7 18895->18896 18896->18896 18897 416f50 27 API calls 18896->18897 18898 4139ef 18897->18898 18899 4139fa GetComputerNameExW 18898->18899 18900 413a50 18899->18900 18900->18900 19247 416cc0 18900->19247 18902 413a72 19261 417bb0 18902->19261 18904 413abf 18905 413b84 GetModuleFileNameA 18904->18905 18906 413bc0 18905->18906 18906->18906 18907 416f50 27 API calls 18906->18907 18908 413bdc 18907->18908 18909 402220 27 API calls 18908->18909 18910 413c7c 18909->18910 19273 4037d0 GetUserNameW GetProcessHeap HeapAlloc GetUserNameW 18910->19273 18916 413ca8 18917 416a90 27 API calls 18916->18917 18918 413cf8 18917->18918 18919 402c70 70 API calls 18918->18919 18920 413d03 18919->18920 18921 402220 27 API calls 18920->18921 18922 413d18 18921->18922 18923 416a90 27 API calls 18922->18923 18924 413d2c 18923->18924 18925 402c70 70 API calls 18924->18925 18926 413d37 18925->18926 18927 416a90 27 API calls 18926->18927 18928 413d55 18927->18928 18929 402c70 70 API calls 18928->18929 18930 413d60 18929->18930 18931 416a90 27 API calls 18930->18931 18932 413d7e 18931->18932 18933 402c70 70 API calls 18932->18933 18934 413d89 18933->18934 18935 416a90 27 API calls 18934->18935 18936 413da7 18935->18936 18937 402c70 70 API calls 18936->18937 18938 413db2 18937->18938 18939 416a90 27 API calls 18938->18939 18940 413dd0 18939->18940 18941 402c70 70 API calls 18940->18941 18942 413ddb 18941->18942 18943 416a90 27 API calls 18942->18943 18944 413df9 18943->18944 18945 402c70 70 API calls 18944->18945 18946 413e04 18945->18946 18947 416a90 27 API calls 18946->18947 18948 413e22 18947->18948 18949 402c70 70 API calls 18948->18949 18950 413e2d 18949->18950 18951 416a90 27 API calls 18950->18951 18952 413e4b 18951->18952 18953 402c70 70 API calls 18952->18953 18954 413e56 18953->18954 18955 416a90 27 API calls 18954->18955 18956 413e72 18955->18956 18957 402c70 70 API calls 18956->18957 18958 413e7d 18957->18958 18959 416a90 27 API calls 18958->18959 18960 413e94 18959->18960 18961 402c70 70 API calls 18960->18961 18962 413e9f 18961->18962 18963 416a90 27 API calls 18962->18963 18964 413eb6 18963->18964 18965 402c70 70 API calls 18964->18965 18966 413ec1 18965->18966 18967 416a90 27 API calls 18966->18967 18968 413edd 18967->18968 18969 402c70 70 API calls 18968->18969 18970 413ee8 18969->18970 19311 4171a0 18970->19311 18972 413efc 19315 4170a0 18972->19315 18974 413f10 18975 4170a0 27 API calls 18974->18975 18976 413f24 18975->18976 18977 4170a0 27 API calls 18976->18977 18978 413f38 18977->18978 18979 4171a0 27 API calls 18978->18979 18980 413f4c 18979->18980 18981 4170a0 27 API calls 18980->18981 18982 413f60 18981->18982 18983 4171a0 27 API calls 18982->18983 18984 413f74 18983->18984 18985 4170a0 27 API calls 18984->18985 18986 413f88 18985->18986 18987 4171a0 27 API calls 18986->18987 18988 413f9c 18987->18988 18989 4170a0 27 API calls 18988->18989 18990 413fb0 18989->18990 18991 4171a0 27 API calls 18990->18991 18992 413fc4 18991->18992 18993 4170a0 27 API calls 18992->18993 18994 413fd8 18993->18994 18995 4171a0 27 API calls 18994->18995 18996 413fec 18995->18996 18997 4170a0 27 API calls 18996->18997 18998 414000 18997->18998 18999 4171a0 27 API calls 18998->18999 19000 414014 18999->19000 19001 4170a0 27 API calls 19000->19001 19002 414028 19001->19002 19003 4171a0 27 API calls 19002->19003 19004 41403c 19003->19004 19005 4170a0 27 API calls 19004->19005 19006 414050 19005->19006 19007 4171a0 27 API calls 19006->19007 19008 414064 19007->19008 19009 4170a0 27 API calls 19008->19009 19010 414078 19009->19010 19011 4170a0 27 API calls 19010->19011 19012 41408c 19011->19012 19013 4170a0 27 API calls 19012->19013 19014 4140a0 19013->19014 19015 4171a0 27 API calls 19014->19015 19016 4140b4 19015->19016 19017 4169d0 25 API calls 19016->19017 19018 4140c2 19017->19018 19019 414eff 19018->19019 19021 414f39 19018->19021 19020 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19019->19020 19022 414f21 19020->19022 19023 41cc3c 25 API calls 19021->19023 19025 4167e0 CreateThread CreateThread CreateThread 19022->19025 19024 414f3e 19023->19024 19026 416820 Sleep 19025->19026 19026->19026 19029 416f6e __InternalCxxFrameHandler 19027->19029 19030 416f94 19027->19030 19028 41707e 19031 402180 Concurrency::cancel_current_task 27 API calls 19028->19031 19029->18873 19030->19028 19032 416fe8 19030->19032 19033 41700d 19030->19033 19034 417088 19031->19034 19032->19028 19036 41835e 27 API calls 19032->19036 19035 41835e 27 API calls 19033->19035 19038 416ff9 __wsopen_s 19033->19038 19035->19038 19036->19038 19037 41cc3c 25 API calls 19037->19028 19038->19037 19039 417060 19038->19039 19039->18873 19323 419630 19040->19323 19042 404cc6 GetVersionExW 19043 404ce8 19042->19043 19084 404e18 19042->19084 19044 416a90 27 API calls 19043->19044 19047 404cf7 19044->19047 19045 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19046 4053d7 19045->19046 19109 402220 19046->19109 19048 402c70 70 API calls 19047->19048 19049 404d02 19048->19049 19050 416a90 27 API calls 19049->19050 19051 404d24 19050->19051 19052 402c70 70 API calls 19051->19052 19053 404d2f GetModuleHandleA GetProcAddress 19052->19053 19056 404d55 19053->19056 19055 404dd6 19058 404e07 GetSystemInfo 19055->19058 19061 404e03 19055->19061 19056->19055 19057 4053de 19056->19057 19059 41cc3c 25 API calls 19057->19059 19058->19061 19060 4053f7 19059->19060 19062 404f49 19061->19062 19063 404e6f 19061->19063 19061->19084 19065 416a90 27 API calls 19062->19065 19064 416a90 27 API calls 19063->19064 19066 404e90 19064->19066 19067 404f5f 19065->19067 19068 402c70 70 API calls 19066->19068 19069 402c70 70 API calls 19067->19069 19071 404e97 19068->19071 19070 404f6a 19069->19070 19072 416a90 27 API calls 19070->19072 19073 416a90 27 API calls 19071->19073 19074 404f8a 19072->19074 19075 404eaf 19073->19075 19076 402c70 70 API calls 19074->19076 19077 402c70 70 API calls 19075->19077 19078 404f91 19076->19078 19081 404eb6 19077->19081 19079 416a90 27 API calls 19078->19079 19080 404fa6 19079->19080 19082 402c70 70 API calls 19080->19082 19325 41ca5d 19081->19325 19086 404fad 19082->19086 19084->19045 19085 416a90 27 API calls 19087 4050ab 19085->19087 19086->19085 19088 402c70 70 API calls 19087->19088 19089 4050b6 19088->19089 19090 416a90 27 API calls 19089->19090 19091 4050d6 19090->19091 19092 402c70 70 API calls 19091->19092 19093 4050dd 19092->19093 19094 416a90 27 API calls 19093->19094 19095 4050f2 19094->19095 19096 402c70 70 API calls 19095->19096 19097 4050f9 19096->19097 19098 416a90 27 API calls 19097->19098 19099 4051f7 19098->19099 19100 402c70 70 API calls 19099->19100 19101 405202 19100->19101 19102 416a90 27 API calls 19101->19102 19103 405222 19102->19103 19104 402c70 70 API calls 19103->19104 19105 405229 19104->19105 19106 416a90 27 API calls 19105->19106 19107 40523e 19106->19107 19108 402c70 70 API calls 19107->19108 19108->19084 19110 402244 19109->19110 19110->19110 19111 4022b7 19110->19111 19112 416f50 27 API calls 19110->19112 19113 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19111->19113 19112->19111 19114 4022c6 19113->19114 19115 405400 19114->19115 19116 419630 ___scrt_fastfail 19115->19116 19117 405465 GetVersionExW 19116->19117 19118 40548d 19117->19118 19133 405483 19117->19133 19119 416a90 27 API calls 19118->19119 19120 40549c 19119->19120 19122 402c70 70 API calls 19120->19122 19121 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19123 4055e5 19121->19123 19124 4054a7 19122->19124 19123->18883 19125 416a90 27 API calls 19124->19125 19126 4054c9 19125->19126 19127 402c70 70 API calls 19126->19127 19128 4054d4 GetModuleHandleA GetProcAddress 19127->19128 19130 4054fa 19128->19130 19131 405577 19130->19131 19132 4055ec 19130->19132 19131->19133 19134 4055a8 GetSystemInfo 19131->19134 19135 41cc3c 25 API calls 19132->19135 19133->19121 19134->19133 19136 4055f1 19135->19136 19138 416ab6 19137->19138 19139 416abd 19138->19139 19140 416af2 19138->19140 19143 416b11 19138->19143 19139->18888 19141 416b49 19140->19141 19142 416af9 19140->19142 19144 402180 Concurrency::cancel_current_task 27 API calls 19141->19144 19145 41835e 27 API calls 19142->19145 19146 41835e 27 API calls 19143->19146 19148 416b06 __wsopen_s 19143->19148 19147 416aff 19144->19147 19145->19147 19146->19148 19147->19148 19149 41cc3c 25 API calls 19147->19149 19148->18888 19150 416b53 19149->19150 19377 402a40 19151->19377 19157 402d65 19160 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19157->19160 19158 402d8b 19161 41cc3c 25 API calls 19158->19161 19159 402cdb 19159->19157 19159->19158 19163 402d87 19160->19163 19162 402d90 ___scrt_fastfail 19161->19162 19164 402df7 RegOpenKeyExA 19162->19164 19163->18890 19165 402e50 RegCloseKey 19164->19165 19166 402e26 RegQueryValueExA 19164->19166 19167 402e76 19165->19167 19166->19165 19167->19167 19168 416f50 27 API calls 19167->19168 19170 402e8e 19168->19170 19169 402ef6 19171 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19169->19171 19170->19169 19172 402f1d 19170->19172 19173 402f19 19171->19173 19174 41cc3c 25 API calls 19172->19174 19173->18890 19175 402f22 RegOpenKeyExA 19174->19175 19177 402f97 RegCloseKey 19175->19177 19178 402f6d RegSetValueExA 19175->19178 19179 402fa8 19177->19179 19178->19177 19180 403066 19179->19180 19181 40304e 19179->19181 19183 41cc3c 25 API calls 19180->19183 19182 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19181->19182 19184 403062 19182->19184 19185 40306b GdiplusStartup 19183->19185 19184->18890 19396 416b60 19185->19396 19189 416a90 27 API calls 19191 4031eb 19189->19191 19190 4030f0 GetDC 19190->19189 19192 402c70 42 API calls 19191->19192 19193 4031f6 19192->19193 19194 416a90 27 API calls 19193->19194 19195 403218 19194->19195 19196 402c70 42 API calls 19195->19196 19197 40321f 19196->19197 19198 416a90 27 API calls 19197->19198 19199 403234 19198->19199 19200 402c70 42 API calls 19199->19200 19201 40323b 19200->19201 19202 416a90 27 API calls 19201->19202 19203 403269 19202->19203 19204 402c70 42 API calls 19203->19204 19205 403274 19204->19205 19206 4170a0 27 API calls 19205->19206 19207 403288 19206->19207 19208 4170a0 27 API calls 19207->19208 19210 403299 19208->19210 19209 4037ad 19211 41cc3c 25 API calls 19209->19211 19210->19209 19215 4033db 19210->19215 19212 4037c6 19211->19212 19213 416a90 27 API calls 19214 40341b 19213->19214 19216 402c70 42 API calls 19214->19216 19215->19213 19217 403426 RegGetValueA 19216->19217 19223 403461 19217->19223 19219 4034a2 GetSystemMetrics 19221 4034b0 19219->19221 19222 4034a9 19219->19222 19220 4034ab GetSystemMetrics 19220->19221 19224 416a90 27 API calls 19221->19224 19222->19220 19223->19219 19223->19220 19225 4034cb 19224->19225 19226 402c70 42 API calls 19225->19226 19227 4034d6 RegGetValueA 19226->19227 19229 40350b 19227->19229 19230 403546 GetSystemMetrics 19229->19230 19231 40354f GetSystemMetrics 19229->19231 19232 403554 6 API calls 19230->19232 19233 40354d 19230->19233 19231->19232 19234 403671 6 API calls 19232->19234 19235 4035e7 19232->19235 19233->19231 19238 4036c8 19234->19238 19236 41cc8d ___std_exception_copy 15 API calls 19235->19236 19237 4035ed 19236->19237 19237->19234 19240 4035fc GdipGetImageEncoders 19237->19240 19239 403759 GdiplusShutdown 19238->19239 19241 40376a 19239->19241 19246 403610 19240->19246 19242 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19241->19242 19243 4037a9 19242->19243 19243->18890 19244 41ca42 ___std_exception_destroy 14 API calls 19245 403668 19244->19245 19245->19234 19246->19244 19248 416ce1 __InternalCxxFrameHandler 19247->19248 19249 416d0c 19247->19249 19248->18902 19250 416dfb 19249->19250 19252 416d60 19249->19252 19253 416d87 19249->19253 19259 416d71 __wsopen_s 19249->19259 19254 402180 Concurrency::cancel_current_task 27 API calls 19250->19254 19251 41cc3c 25 API calls 19255 416e0a 19251->19255 19252->19250 19256 416d6b 19252->19256 19258 41835e 27 API calls 19253->19258 19253->19259 19254->19259 19257 41835e 27 API calls 19256->19257 19257->19259 19258->19259 19259->19251 19260 416de2 19259->19260 19260->18902 19263 417bcb 19261->19263 19269 417cb4 __wsopen_s 19261->19269 19262 417d41 19265 402180 Concurrency::cancel_current_task 27 API calls 19262->19265 19263->19262 19264 417c4b __wsopen_s 19263->19264 19266 417c61 19263->19266 19267 417c3a 19263->19267 19263->19269 19264->19269 19272 41cc3c 25 API calls 19264->19272 19268 417d4b 19265->19268 19266->19264 19270 41835e 27 API calls 19266->19270 19267->19262 19271 41835e 27 API calls 19267->19271 19269->18904 19270->19264 19271->19264 19272->19262 19274 4039c2 7 API calls 19273->19274 19275 403855 LookupAccountNameW GetProcessHeap HeapAlloc GetProcessHeap HeapAlloc 19273->19275 19286 4039b4 19274->19286 19275->19274 19276 40389d 19275->19276 19276->19274 19278 4038a5 LookupAccountNameW 19276->19278 19277 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19279 403a03 19277->19279 19278->19274 19280 4038c4 ConvertSidToStringSidW 19278->19280 19290 403a10 19279->19290 19280->19274 19281 4038d7 19280->19281 19282 416f50 27 API calls 19281->19282 19283 403953 19282->19283 19284 416f50 27 API calls 19283->19284 19285 40398e 19284->19285 19285->19286 19287 403a07 19285->19287 19286->19277 19288 41cc3c 25 API calls 19287->19288 19289 403a0c 19288->19289 19304 403ce4 19290->19304 19305 403a88 19290->19305 19291 403da6 19451 417090 19291->19451 19292 403d07 19293 416f50 27 API calls 19292->19293 19296 403d26 19293->19296 19295 403dab 19297 41cc3c 25 API calls 19295->19297 19296->19295 19302 403d7c 19296->19302 19298 403db0 19297->19298 19299 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19300 403d9f 19299->19300 19306 4169d0 19300->19306 19301 416f50 27 API calls 19301->19305 19302->19299 19304->19291 19304->19292 19305->19291 19305->19295 19305->19301 19305->19304 19446 417d50 19305->19446 19307 416a01 19306->19307 19308 4169de 19306->19308 19307->18916 19308->19307 19309 41cc3c 25 API calls 19308->19309 19310 416a4c 19309->19310 19312 4171b9 19311->19312 19314 4171cd __InternalCxxFrameHandler 19312->19314 19481 4178f0 19312->19481 19314->18972 19316 417112 19315->19316 19317 4170c8 19315->19317 19319 417121 __InternalCxxFrameHandler 19316->19319 19321 4178f0 27 API calls 19316->19321 19317->19316 19318 4170d1 19317->19318 19320 417d50 27 API calls 19318->19320 19319->18974 19322 4170da 19320->19322 19321->19319 19322->18974 19324 419647 19323->19324 19324->19042 19324->19324 19328 41c7af 19325->19328 19346 41c9fd 19328->19346 19330 41c7fa 19331 41bcad __fassign 37 API calls 19330->19331 19338 41c806 19331->19338 19332 41c7c1 19332->19330 19333 41c7d6 19332->19333 19345 41c7e6 19332->19345 19334 41c750 _free 14 API calls 19333->19334 19335 41c7db 19334->19335 19336 41cc2c ___std_exception_copy 25 API calls 19335->19336 19336->19345 19339 41c835 19338->19339 19353 41beac 19338->19353 19342 41c89f 19339->19342 19359 41c9d4 19339->19359 19340 41c9d4 25 API calls 19343 41c967 19340->19343 19342->19340 19344 41c750 _free 14 API calls 19343->19344 19343->19345 19344->19345 19345->19084 19347 41ca02 19346->19347 19348 41ca15 19346->19348 19349 41c750 _free 14 API calls 19347->19349 19348->19332 19350 41ca07 19349->19350 19351 41cc2c ___std_exception_copy 25 API calls 19350->19351 19352 41ca12 19351->19352 19352->19332 19354 41bee9 19353->19354 19355 41beb9 19353->19355 19372 41f60d 19354->19372 19357 41bec8 __fassign 19355->19357 19365 41f631 19355->19365 19357->19338 19360 41c9e5 19359->19360 19361 41c9f9 19359->19361 19360->19361 19362 41c750 _free 14 API calls 19360->19362 19361->19342 19363 41c9ee 19362->19363 19364 41cc2c ___std_exception_copy 25 API calls 19363->19364 19364->19361 19366 41bcad __fassign 37 API calls 19365->19366 19368 41f64e 19366->19368 19367 41f65e 19370 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19367->19370 19368->19367 19369 42246f 40 API calls 19368->19369 19369->19367 19371 41f6fa 19370->19371 19371->19357 19373 41ee92 _unexpected 37 API calls 19372->19373 19374 41f618 19373->19374 19375 41f58b __fassign 37 API calls 19374->19375 19376 41f628 19375->19376 19376->19357 19410 416e10 19377->19410 19379 402a6a 19380 402ae0 19379->19380 19381 416e10 27 API calls 19380->19381 19384 402b14 19381->19384 19382 402c46 19385 402890 19382->19385 19384->19382 19423 41bf00 19384->19423 19386 41835e 27 API calls 19385->19386 19394 40291a 19386->19394 19387 4029e8 19388 402a0e 19387->19388 19390 402a36 19387->19390 19389 418152 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19388->19389 19391 402a32 19389->19391 19392 41cc3c 25 API calls 19390->19392 19391->19159 19393 402a3b 19392->19393 19394->19387 19433 4177b0 19394->19433 19397 416b78 19396->19397 19398 416bab 19396->19398 19397->19190 19400 416ca4 19398->19400 19402 416c00 19398->19402 19403 416c27 19398->19403 19408 416c11 19398->19408 19399 41cc3c 25 API calls 19401 416cb3 19399->19401 19404 402180 Concurrency::cancel_current_task 27 API calls 19400->19404 19402->19400 19405 416c0b 19402->19405 19407 41835e 27 API calls 19403->19407 19403->19408 19404->19408 19406 41835e 27 API calls 19405->19406 19406->19408 19407->19408 19408->19399 19409 416c88 19408->19409 19409->19190 19412 416e28 ___scrt_fastfail 19410->19412 19413 416e4f 19410->19413 19411 416f38 19416 402180 Concurrency::cancel_current_task 27 API calls 19411->19416 19412->19379 19413->19411 19414 416ea3 19413->19414 19415 416ec8 19413->19415 19414->19411 19418 41835e 27 API calls 19414->19418 19419 41835e 27 API calls 19415->19419 19421 416eb4 ___scrt_fastfail 19415->19421 19417 416f42 19416->19417 19418->19421 19419->19421 19420 41cc3c 25 API calls 19420->19411 19421->19420 19422 416f1a 19421->19422 19422->19379 19424 41bf1c __fassign 19423->19424 19425 41bf0e 19423->19425 19424->19384 19428 41be73 19425->19428 19429 41bcad __fassign 37 API calls 19428->19429 19430 41be86 19429->19430 19431 41beac 40 API calls 19430->19431 19432 41be97 19431->19432 19432->19384 19434 4177d3 19433->19434 19435 4178d9 19433->19435 19436 417815 19434->19436 19437 41783f 19434->19437 19438 402180 Concurrency::cancel_current_task 27 API calls 19435->19438 19436->19435 19439 417820 19436->19439 19441 41835e 27 API calls 19437->19441 19444 417826 __wsopen_s 19437->19444 19438->19444 19440 41835e 27 API calls 19439->19440 19440->19444 19441->19444 19442 41cc3c 25 API calls 19443 4178e8 19442->19443 19444->19442 19445 41789b __wsopen_s 19444->19445 19445->19394 19447 417d64 19446->19447 19450 417d75 __InternalCxxFrameHandler __wsopen_s 19447->19450 19454 417e10 19447->19454 19449 417dfb 19449->19305 19450->19305 19470 418132 19451->19470 19455 417f49 19454->19455 19456 417e3b 19454->19456 19457 402180 Concurrency::cancel_current_task 27 API calls 19455->19457 19458 417e82 19456->19458 19459 417ea9 19456->19459 19464 417e93 __wsopen_s 19457->19464 19458->19455 19460 417e8d 19458->19460 19463 41835e 27 API calls 19459->19463 19459->19464 19462 41835e 27 API calls 19460->19462 19461 41cc3c 25 API calls 19465 417f58 19461->19465 19462->19464 19463->19464 19464->19461 19469 417f11 __wsopen_s 19464->19469 19466 417f8a 19465->19466 19467 41cc3c 25 API calls 19465->19467 19466->19449 19468 417fae 19467->19468 19469->19449 19475 4180a6 19470->19475 19473 4193e4 std::_Xinvalid_argument RaiseException 19474 418151 19473->19474 19478 417fc7 19475->19478 19479 4191a9 ___std_exception_copy 26 API calls 19478->19479 19480 417ff3 19479->19480 19480->19473 19482 41791b 19481->19482 19483 417a3e 19481->19483 19485 417962 19482->19485 19486 41798c 19482->19486 19484 402180 Concurrency::cancel_current_task 27 API calls 19483->19484 19492 417973 __wsopen_s 19484->19492 19485->19483 19487 41796d 19485->19487 19490 41835e 27 API calls 19486->19490 19486->19492 19489 41835e 27 API calls 19487->19489 19488 41cc3c 25 API calls 19491 417a4d 19488->19491 19489->19492 19490->19492 19492->19488 19493 4179fc __wsopen_s 19492->19493 19493->19314 19495 41b8ab 19494->19495 19496 41b8bd 19494->19496 19497 418b89 __CreateFrameInfo GetModuleHandleW 19495->19497 19506 41b744 19496->19506 19499 41b8b0 19497->19499 19499->19496 19522 41b943 GetModuleHandleExW 19499->19522 19501 418857 19501->18338 19505 41b900 19507 41b750 CallCatchBlock 19506->19507 19528 41dea3 EnterCriticalSection 19507->19528 19509 41b75a 19529 41b7b0 19509->19529 19511 41b767 19533 41b785 19511->19533 19514 41b901 19557 41df02 GetPEB 19514->19557 19517 41b930 19519 41b943 __CreateFrameInfo 3 API calls 19517->19519 19518 41b910 GetPEB 19518->19517 19520 41b920 GetCurrentProcess TerminateProcess 19518->19520 19521 41b938 ExitProcess 19519->19521 19520->19517 19523 41b962 GetProcAddress 19522->19523 19524 41b985 19522->19524 19527 41b977 19523->19527 19525 41b8bc 19524->19525 19526 41b98b FreeLibrary 19524->19526 19525->19496 19526->19525 19527->19524 19528->19509 19530 41b7bc CallCatchBlock 19529->19530 19531 41b81d __CreateFrameInfo 19530->19531 19536 41d713 19530->19536 19531->19511 19556 41deeb LeaveCriticalSection 19533->19556 19535 41b773 19535->19501 19535->19514 19539 41d444 19536->19539 19540 41d450 CallCatchBlock 19539->19540 19547 41dea3 EnterCriticalSection 19540->19547 19542 41d45e 19548 41d623 19542->19548 19547->19542 19549 41d642 19548->19549 19550 41d46b 19548->19550 19549->19550 19551 41e5a1 _free 14 API calls 19549->19551 19552 41d493 19550->19552 19551->19550 19555 41deeb LeaveCriticalSection 19552->19555 19554 41d47c 19554->19531 19555->19554 19556->19535 19558 41b90b 19557->19558 19559 41df1c 19557->19559 19558->19517 19558->19518 19561 41f296 19559->19561 19562 41f213 _unexpected 5 API calls 19561->19562 19563 41f2b2 19562->19563 19563->19558

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 119 41b901-41b90e call 41df02 122 41b930-41b93c call 41b943 ExitProcess 119->122 123 41b910-41b91e GetPEB 119->123 123->122 125 41b920-41b92a GetCurrentProcess TerminateProcess 123->125 125->122
                                                APIs
                                                • GetCurrentProcess.KERNEL32(?,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B923
                                                • TerminateProcess.KERNEL32(00000000,?,0041B900,0041BE86,?,NA,0041BE86,0041EF4E), ref: 0041B92A
                                                • ExitProcess.KERNEL32 ref: 0041B93C
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: Process$CurrentExitTerminate
                                                • String ID:
                                                • API String ID: 1703294689-0
                                                • Opcode ID: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
                                                • Instruction ID: c3524ad3d233ec0a3a19b1bf7aedcb75de5af13a6c7a41cb1465cf438659ca8f
                                                • Opcode Fuzzy Hash: 3d3398b3f9dcf73c51e1cd00535af5d0e13f2263922661259b1695b405c8b0d4
                                                • Instruction Fuzzy Hash: 63E0B671120208EFCB216F65DD49AA97B79FB44751BC44439FA0586231CB39EE93CB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 127 87f23e-87f257 128 87f259-87f25b 127->128 129 87f262-87f26e CreateToolhelp32Snapshot 128->129 130 87f25d 128->130 131 87f270-87f276 129->131 132 87f27e-87f28b Module32First 129->132 130->129 131->132 137 87f278-87f27c 131->137 133 87f294-87f29c 132->133 134 87f28d-87f28e call 87eefd 132->134 138 87f293 134->138 137->128 137->132 138->133
                                                APIs
                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0087F266
                                                • Module32First.KERNEL32(00000000,00000224), ref: 0087F286
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.347151025.000000000087E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0087E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_87e000_rovwer.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                • String ID:
                                                • API String ID: 3833638111-0
                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                • Instruction ID: 863f65daa9c50eed53724a0a9ada00a027b2a12474693e89094b812ac830c07f
                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                • Instruction Fuzzy Hash: B5F0F6361007107BDB203BFA988CB6E76E8FF49324F104538E74AD24C2CB70EC054A61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 0 408650-408664 1 408683-40868f call 417a50 0->1 2 408666-408681 0->2 3 408694-40869b 1->3 2->3 5 4086a2-4086c2 CreateMutexW GetLastError 3->5 6 40869d-4086a0 3->6 7 4086c8-4086ce 5->7 6->0 8 4086d0-4086e2 7->8 9 4086fe-408718 7->9 12 4086f4-4086fb call 4185df 8->12 13 4086e4-4086f2 8->13 10 408741-408754 call 418152 9->10 11 40871a-408725 9->11 21 408759-40875c 10->21 14 408737-40873e call 4185df 11->14 15 408727-408735 11->15 12->9 13->12 17 408764-4087ae call 41cc3c call 406bb0 call 406590 13->17 14->10 15->14 15->17 29 4087b3-4087b7 17->29 30 4087b9 29->30 31 4087bb-4087c8 SetCurrentDirectoryA 29->31 30->31 32 4087f6-4088c0 call 416a90 call 402c70 call 416a90 call 402c70 call 416a90 call 402c70 call 4171a0 call 4170a0 call 4171a0 call 417380 call 4170a0 call 4048c0 31->32 33 4087ca-4087d6 31->33 68 4088c5-4088ce 32->68 34 4087d8-4087e6 33->34 35 4087ec-4087f3 call 4185df 33->35 34->35 37 408b10 call 41cc3c 34->37 35->32 43 408b15 call 41cc3c 37->43 47 408b1a-408b1f call 41cc3c 43->47 69 4088d0-4088dc 68->69 70 4088fc-408914 68->70 71 4088f2-4088f9 call 4185df 69->71 72 4088de-4088ec 69->72 73 408942-40895a 70->73 74 408916-408922 70->74 71->70 72->43 72->71 78 40898b-4089a9 73->78 79 40895c-40896b 73->79 76 408924-408932 74->76 77 408938-40893f call 4185df 74->77 76->43 76->77 77->73 80 4089da-4089fe 78->80 81 4089ab-4089ba 78->81 84 408981-408988 call 4185df 79->84 85 40896d-40897b 79->85 89 408a00-408a0f 80->89 90 408a2f-408a50 80->90 87 4089d0-4089d7 call 4185df 81->87 88 4089bc-4089ca 81->88 84->78 85->43 85->84 87->80 88->43 88->87 96 408a11-408a1f 89->96 97 408a25-408a2c call 4185df 89->97 92 408a52-408a5e 90->92 93 408a7e-408a99 90->93 98 408a60-408a6e 92->98 99 408a74-408a7b call 4185df 92->99 100 408ac6-408acc 93->100 101 408a9b-408aaa 93->101 96->43 96->97 97->90 98->43 98->99 99->93 107 408af6-408b0f call 418152 100->107 108 408ace-408ada 100->108 105 408abc-408ac3 call 4185df 101->105 106 408aac-408aba 101->106 105->100 106->43 106->105 113 408aec-408af3 call 4185df 108->113 114 408adc-408aea 108->114 113->107 114->47 114->113
                                                APIs
                                                • CreateMutexW.KERNELBASE(00000000,00000000,?,0043A194,34AAABE9,?,00000000,00000000), ref: 004086B1
                                                • GetLastError.KERNEL32(?,00000000,00000000), ref: 004086B7
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: CreateErrorLastMutex
                                                • String ID:
                                                • API String ID: 1925916568-0
                                                • Opcode ID: a5b5c924cf0598033fc7552755438c6b161d435a7d09cfac228ba958160edf38
                                                • Instruction ID: d5025c2257f1853fae8f1be1934c88d0cd5ba35f682ee7a5a0e711edb3be859e
                                                • Opcode Fuzzy Hash: a5b5c924cf0598033fc7552755438c6b161d435a7d09cfac228ba958160edf38
                                                • Instruction Fuzzy Hash: 57D15C71A001089BEB18DB28CE85BDDB772EF85314F60817EE445B73D6DF395A808B59
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 140 41d1bb-41d1c2 141 41d1c4-41d1c6 140->141 142 41d1c7-41d1ce call 421602 call 4219a3 140->142 146 41d1d3-41d1d7 142->146 147 41d1d9-41d1dc 146->147 148 41d1de-41d1e7 call 41d20e 146->148 150 41d202-41d20d call 41e5a1 147->150 153 41d1e9-41d1ec 148->153 154 41d1ee-41d1f5 148->154 156 41d1fa-41d201 call 41e5a1 153->156 154->156 156->150
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID:
                                                • API String ID: 269201875-0
                                                • Opcode ID: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
                                                • Instruction ID: f1d333090dd57bfd17dfe39ecb9b07313f9b1ca465b706eabb36e918cd1afe6e
                                                • Opcode Fuzzy Hash: 9f5dec638c6018a6b24b976b0791b773a56ee0672529c52ab4d44372aafa3d49
                                                • Instruction Fuzzy Hash: 4FE0E5B6E0242022E211623F7C46AEB11856BD133AB15022FF860861E0DF7C88C2D19E
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 159 408770-4087a7 call 406bb0 162 4087ae call 406590 159->162 163 4087b3-4087b7 162->163 164 4087b9 163->164 165 4087bb-4087c8 SetCurrentDirectoryA 163->165 164->165 166 4087f6-40880a call 416a90 165->166 167 4087ca-4087d6 165->167 176 408810 call 402c70 166->176 168 4087d8-4087e6 167->168 169 4087ec-4087f3 call 4185df 167->169 168->169 171 408b10 call 41cc3c 168->171 169->166 177 408b15 call 41cc3c 171->177 178 408815-408835 call 416a90 176->178 181 408b1a-408b1f call 41cc3c 177->181 183 408838 call 402c70 178->183 185 40883d-408858 call 416a90 183->185 189 40885e call 402c70 185->189 190 408863-4088bd call 4171a0 call 4170a0 call 4171a0 call 417380 call 4170a0 189->190 201 4088c0 call 4048c0 190->201 202 4088c5-4088ce 201->202 203 4088d0-4088dc 202->203 204 4088fc-408914 202->204 205 4088f2-4088f9 call 4185df 203->205 206 4088de-4088ec 203->206 207 408942-40895a 204->207 208 408916-408922 204->208 205->204 206->177 206->205 212 40898b-4089a9 207->212 213 40895c-40896b 207->213 210 408924-408932 208->210 211 408938-40893f call 4185df 208->211 210->177 210->211 211->207 214 4089da-4089fe 212->214 215 4089ab-4089ba 212->215 218 408981-408988 call 4185df 213->218 219 40896d-40897b 213->219 223 408a00-408a0f 214->223 224 408a2f-408a50 214->224 221 4089d0-4089d7 call 4185df 215->221 222 4089bc-4089ca 215->222 218->212 219->177 219->218 221->214 222->177 222->221 230 408a11-408a1f 223->230 231 408a25-408a2c call 4185df 223->231 226 408a52-408a5e 224->226 227 408a7e-408a99 224->227 232 408a60-408a6e 226->232 233 408a74-408a7b call 4185df 226->233 234 408ac6-408acc 227->234 235 408a9b-408aaa 227->235 230->177 230->231 231->224 232->177 232->233 233->227 241 408af6-408b0f call 418152 234->241 242 408ace-408ada 234->242 239 408abc-408ac3 call 4185df 235->239 240 408aac-408aba 235->240 239->234 240->177 240->239 247 408aec-408af3 call 4185df 242->247 248 408adc-408aea 242->248 247->241 248->181 248->247
                                                APIs
                                                  • Part of subcall function 00408770: GetModuleFileNameA.KERNEL32(00000000,?,00000104,34AAABE9), ref: 00406BFF
                                                  • Part of subcall function 00406590: GetModuleFileNameA.KERNEL32(00000000,?,00000104,34AAABE9,?,00000000), ref: 004065F3
                                                • SetCurrentDirectoryA.KERNEL32(00000000,34AAABE9,00000000), ref: 004087BC
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: FileModuleName$CurrentDirectory
                                                • String ID:
                                                • API String ID: 1135421992-0
                                                • Opcode ID: c0393972aab4d93959729be5652f9478907cec9a3f92d5172277890f364fd88e
                                                • Instruction ID: d0dae173410c9e4e1febe3177f2c9113cc4b317fee0fa56548834116e9d8ebca
                                                • Opcode Fuzzy Hash: c0393972aab4d93959729be5652f9478907cec9a3f92d5172277890f364fd88e
                                                • Instruction Fuzzy Hash: 4B51FA70E002489BEF14EB64CA45BDDBB72AF42308F6041AED445773C7DB781A84CB5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 253 417a50-417a6d 254 417a73-417a81 253->254 255 417b94 call 417ba0 253->255 257 417a83-417a85 254->257 258 417a87-417a8f 254->258 259 417b99-417b9f call 41cc3c 255->259 260 417a9f-417aa7 257->260 261 417a91-417a96 258->261 262 417a98-417a9c 258->262 264 417aad-417ab4 260->264 265 417b8f call 402180 260->265 261->260 262->260 268 417ae0-417ae2 264->268 269 417ab6-417abb 264->269 265->255 271 417af4 268->271 272 417ae4-417ae5 call 41835e 268->272 269->265 270 417ac1-417acc call 41835e 269->270 270->259 280 417ad2-417ade 270->280 275 417af6-417b06 271->275 277 417aea-417af2 272->277 278 417b68-417b8c call 41b1d0 275->278 279 417b08-417b3d call 41b1d0 275->279 277->275 285 417b51-417b65 call 4185df 279->285 286 417b3f-417b4d 279->286 280->275 286->259 288 417b4f 286->288 288->285
                                                APIs
                                                • Concurrency::cancel_current_task.LIBCPMT ref: 00417B8F
                                                  • Part of subcall function 00402180: ___std_exception_copy.LIBVCRUNTIME ref: 004021BE
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_task___std_exception_copy
                                                • String ID:
                                                • API String ID: 1979911387-0
                                                • Opcode ID: d28470824307c46c043b17cc731677d80b73be28b83e5386658e58e37f45c324
                                                • Instruction ID: 17865e07c0a9020476bb62f3ecb7ae26e4e2800d30adc2ccf051e38fdb3837cc
                                                • Opcode Fuzzy Hash: d28470824307c46c043b17cc731677d80b73be28b83e5386658e58e37f45c324
                                                • Instruction Fuzzy Hash: CD414772A0810A9BCB14DF288C819EFB3B5FF84358714067AD819DB341E734EE9583D9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 290 41835e-418361 291 418370-418373 call 41cc8d 290->291 293 418378-41837b 291->293 294 418363-41836e call 41cca7 293->294 295 41837d-41837e 293->295 294->291 298 41837f-418383 294->298 299 402180-4021d0 call 402160 call 4193e4 call 4191a9 298->299 300 418389-418886 call 417faf call 4193e4 298->300
                                                APIs
                                                • ___std_exception_copy.LIBVCRUNTIME ref: 004021BE
                                                  • Part of subcall function 004193E4: RaiseException.KERNEL32(E06D7363,00000001,00000003,0040219C,?,?,?,0040219C,?,00437E4C), ref: 00419444
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ExceptionRaise___std_exception_copy
                                                • String ID:
                                                • API String ID: 3109751735-0
                                                • Opcode ID: 79f28c06042652cc4a4b4e37ebf95145dffe76a591269d0a023a1b3527f7ecb0
                                                • Instruction ID: 0754849f2873f9ee99eecf20cf2606fb6430f2f66f9579a4d74c0798b0fd6e96
                                                • Opcode Fuzzy Hash: 79f28c06042652cc4a4b4e37ebf95145dffe76a591269d0a023a1b3527f7ecb0
                                                • Instruction Fuzzy Hash: 09012B3590020D77C714BAA5EC469CA73AC9E04714B60453BF928A7191FB78E9C587DD
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 312 41fca4-41fcb1 call 420873 314 41fcb6-41fcc1 312->314 315 41fcc3-41fcc5 314->315 316 41fcc7-41fccf 314->316 317 41fd12-41fd1e call 41e5a1 315->317 316->317 318 41fcd1-41fcd5 316->318 320 41fcd7-41fd0c call 41f451 318->320 324 41fd0e-41fd11 320->324 324->317
                                                APIs
                                                  • Part of subcall function 00420873: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0041F034,00000001,00000364,00000008,000000FF,?,?,004191D3,?), ref: 004208B4
                                                • _free.LIBCMT ref: 0041FD13
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: AllocateHeap_free
                                                • String ID:
                                                • API String ID: 614378929-0
                                                • Opcode ID: bbfaf170cd2aa4a5dd4654b786cba334a1d7a93fa1ef5963fa5f0812df2330b2
                                                • Instruction ID: 70b6eeed5610955833eca53ebfbf82cf5bb37bdb6f1881a91f0ece62663c8b3f
                                                • Opcode Fuzzy Hash: bbfaf170cd2aa4a5dd4654b786cba334a1d7a93fa1ef5963fa5f0812df2330b2
                                                • Instruction Fuzzy Hash: 640149B26043566BC3209F99D881ADAFB98FB443B4F10062EE545A76C0E374AC56C7E8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 325 420873-42087e 326 420880-42088a 325->326 327 42088c-420892 325->327 326->327 328 4208c0-4208cb call 41c750 326->328 329 420894-420895 327->329 330 4208ab-4208bc RtlAllocateHeap 327->330 336 4208cd-4208cf 328->336 329->330 331 420897-42089e call 41dc2f 330->331 332 4208be 330->332 331->328 338 4208a0-4208a9 call 41cca7 331->338 332->336 338->328 338->330
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0041F034,00000001,00000364,00000008,000000FF,?,?,004191D3,?), ref: 004208B4
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: b74571d69d9b0232edf4526da73c509a374cb4a9f19198f923c60397a3458b71
                                                • Instruction ID: fd7077de4c568d6a2e66846734c52a563ccaa344bff8033cadba6e7d35bed193
                                                • Opcode Fuzzy Hash: b74571d69d9b0232edf4526da73c509a374cb4a9f19198f923c60397a3458b71
                                                • Instruction Fuzzy Hash: A8F0B432701235669B257A23AC05B5B37E9AF417A0B544137E818A6293DB68E80586EC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                APIs
                                                  • Part of subcall function 0040CBD0: GetTempPathA.KERNEL32(00000104,?), ref: 0040B2FE
                                                  • Part of subcall function 0040CBD0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,34AAABE9), ref: 0040A7BC
                                                  • Part of subcall function 00406510: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00406540
                                                  • Part of subcall function 0040CBD0: GetUserNameA.ADVAPI32(?,?), ref: 0040B96E
                                                  • Part of subcall function 004138B0: IsUserAnAdmin.SHELL32 ref: 0041390D
                                                  • Part of subcall function 004138B0: GetUserNameA.ADVAPI32(?,?), ref: 004139B7
                                                  • Part of subcall function 004138B0: GetComputerNameExW.KERNEL32(00000002,?,?,?,?), ref: 00413A20
                                                  • Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 004167F6
                                                  • Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416807
                                                  • Part of subcall function 004167E0: CreateThread.KERNEL32 ref: 00416818
                                                  • Part of subcall function 004167E0: Sleep.KERNEL32(00007530,?,00416873), ref: 00416825
                                                • InternetCloseHandle.WININET(00000000), ref: 00416887
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: Name$CreateThreadUser$FileModule$AdminCloseComputerHandleInternetPathSleepTemp
                                                • String ID:
                                                • API String ID: 1411138196-0
                                                • Opcode ID: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
                                                • Instruction ID: fcb51b4180ac2c01cd311fc2696d032aed602c74c46a29392a881be8b31f0bff
                                                • Opcode Fuzzy Hash: 681845bb7bdad3a9b280c05efa4f412a3339f2d7827d3117315032cc1d5ff116
                                                • Instruction Fuzzy Hash: 21E08671A0050407DA043BBA5D0B64E31184F8134CF94027FB815665D7EE6DD56441FF
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 360 41ea8a-41ea96 361 41eac8-41ead3 call 41c750 360->361 362 41ea98-41ea9a 360->362 369 41ead5-41ead7 361->369 363 41eab3-41eac4 RtlAllocateHeap 362->363 364 41ea9c-41ea9d 362->364 367 41eac6 363->367 368 41ea9f-41eaa6 call 41dc2f 363->368 364->363 367->369 368->361 372 41eaa8-41eab1 call 41cca7 368->372 372->361 372->363
                                                APIs
                                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: AllocateHeap
                                                • String ID:
                                                • API String ID: 1279760036-0
                                                • Opcode ID: dfa22ebf96d117e5e2d1e15a0c463ff833afb46ba7fb8ad48bf3f6a11dcdaed7
                                                • Instruction ID: 5e5b785a8da04b63c94067ca99906f02eb36a9a31bcd46b4234264a7978573d4
                                                • Opcode Fuzzy Hash: dfa22ebf96d117e5e2d1e15a0c463ff833afb46ba7fb8ad48bf3f6a11dcdaed7
                                                • Instruction Fuzzy Hash: A5E0E53954012266E62126634C007DB7A48BF813F0F050037EC18962C0DB98DCC182ED
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 375 87eefd-87ef37 call 87f210 378 87ef85 375->378 379 87ef39-87ef6c VirtualAlloc call 87ef8a 375->379 378->378 381 87ef71-87ef83 379->381 381->378
                                                APIs
                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0087EF4E
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.347151025.000000000087E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0087E000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_87e000_rovwer.jbxd
                                                Yara matches
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                • Instruction ID: 9c2cd20f36a150e4d09d273ac4be7d2c6d664076a40042a0582e12adfaaea19f
                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                • Instruction Fuzzy Hash: 35112B79A00208EFDB01DF98C985E98BBF5EF08350F1580A4F9489B362D771EA50DF80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00403F66
                                                • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00403FCB
                                                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00403FE4
                                                • GetThreadContext.KERNEL32(?,00000000), ref: 00403FFF
                                                • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00404023
                                                • GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection), ref: 0040403E
                                                • GetProcAddress.KERNEL32(00000000), ref: 00404045
                                                • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0040406D
                                                • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 0040408E
                                                • WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00000000), ref: 004040D2
                                                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000), ref: 0040410E
                                                • SetThreadContext.KERNEL32(?,00000000,?,?,00000000), ref: 0040412A
                                                • ResumeThread.KERNEL32(?,?,?,00000000), ref: 00404136
                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,00000000), ref: 00404144
                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00404165
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: Process$MemoryVirtual$ThreadWrite$AllocContextFreeModule$AddressCreateFileHandleNameProcReadResume
                                                • String ID: $NtUnmapViewOfSection$ntdll.dll
                                                • API String ID: 4033543172-1522589568
                                                • Opcode ID: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
                                                • Instruction ID: 7185e54e9f5f5e6bc342fc5ffd2bfcf32a837d4cfdcfbf42461452ed81247528
                                                • Opcode Fuzzy Hash: 2fc5be1b3ec4d92441bc9103c4f92097ff01d4c177745f7de35fcca25cf32f0a
                                                • Instruction Fuzzy Hash: 66518971600218EBDB209F54DC49FEAB7B8FF48701F9040B6F708AA291D7B1A995CF58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetUserNameW.ADVAPI32(00000000,?), ref: 00403822
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00403837
                                                • HeapAlloc.KERNEL32(00000000), ref: 0040383A
                                                • GetUserNameW.ADVAPI32(00000000,?), ref: 00403848
                                                • LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 0040386B
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00403876
                                                • HeapAlloc.KERNEL32(00000000), ref: 00403879
                                                • GetProcessHeap.KERNEL32(00000008,?), ref: 00403889
                                                • HeapAlloc.KERNEL32(00000000), ref: 0040388C
                                                • LookupAccountNameW.ADVAPI32(00000000,?,00000000,?,00000000,?,?), ref: 004038B6
                                                • ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 004038C9
                                                • GetProcessHeap.KERNEL32(00000000,?), ref: 004039C5
                                                • HeapFree.KERNEL32(00000000), ref: 004039CE
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039D3
                                                • HeapFree.KERNEL32(00000000), ref: 004039D6
                                                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004039DD
                                                • HeapFree.KERNEL32(00000000), ref: 004039E0
                                                • LocalFree.KERNEL32(00000000), ref: 004039E5
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: Heap$Process$FreeName$Alloc$AccountLookupUser$ConvertLocalString
                                                • String ID:
                                                • API String ID: 3326663573-0
                                                • Opcode ID: 78a4ed75098941435d79c9e4be2ef9b8bcea189319cacdc9b38411f4183bede5
                                                • Instruction ID: 167f534f4a5bc3f8c65bdd595c5ec8e1d54d44385eb9c59962b1969d814595bf
                                                • Opcode Fuzzy Hash: 78a4ed75098941435d79c9e4be2ef9b8bcea189319cacdc9b38411f4183bede5
                                                • Instruction Fuzzy Hash: EA716DB1E00209ABDB14DFA5DC85BEFBBBCEB48300F40453AE905A7281DB749905CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • ___free_lconv_mon.LIBCMT ref: 00422653
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422209
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 0042221B
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 0042222D
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 0042223F
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422251
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422263
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422275
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422287
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 00422299
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 004222AB
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 004222BD
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 004222CF
                                                  • Part of subcall function 004221EC: _free.LIBCMT ref: 004222E1
                                                • _free.LIBCMT ref: 00422648
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 0042266A
                                                • _free.LIBCMT ref: 0042267F
                                                • _free.LIBCMT ref: 0042268A
                                                • _free.LIBCMT ref: 004226AC
                                                • _free.LIBCMT ref: 004226BF
                                                • _free.LIBCMT ref: 004226CD
                                                • _free.LIBCMT ref: 004226D8
                                                • _free.LIBCMT ref: 00422710
                                                • _free.LIBCMT ref: 00422717
                                                • _free.LIBCMT ref: 00422734
                                                • _free.LIBCMT ref: 0042274C
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                • String ID:
                                                • API String ID: 161543041-0
                                                • Opcode ID: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
                                                • Instruction ID: 87a383156b0838ac626f9c2c6038cf6ce1f5ffd7cd3d592d57855f9c4539c293
                                                • Opcode Fuzzy Hash: 2ebc8ac26202a0620aa625b36a1d2a8fe7bc692bad1c871fd446d657effbc3a9
                                                • Instruction Fuzzy Hash: B6319272604211BFEB205A76EA45B9B73E5AF80358F50441FE849D7251DFBCED80DB18
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00419C22
                                                • type_info::operator==.LIBVCRUNTIME ref: 00419C49
                                                • ___TypeMatch.LIBVCRUNTIME ref: 00419D55
                                                • IsInExceptionSpec.LIBVCRUNTIME ref: 00419E30
                                                • _UnwindNestedFrames.LIBCMT ref: 00419EB7
                                                • CallUnexpected.LIBVCRUNTIME ref: 00419ED2
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                • String ID: csm$csm$csm
                                                • API String ID: 2123188842-393685449
                                                • Opcode ID: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
                                                • Instruction ID: d03aefa22aee8cf5aa416bea0a170c685dbf4c7cd79984a2e6415da9b3a38480
                                                • Opcode Fuzzy Hash: 7c1fb931e7428280153d6c09b5a5c630754522480dfed903c9c8a59691bc5c1e
                                                • Instruction Fuzzy Hash: 49C18871900209EFCF29DFA5D8A19EEBBB5BF04314F14405BE8516B242D339DE91CB9A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00408BAC
                                                • InternetOpenA.WININET(0043432B,00000000,00000000,00000000,00000000), ref: 00408BC2
                                                • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00408BE2
                                                • InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408BF3
                                                • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00408C15
                                                • InternetReadFile.WININET(00000000,00000000,?,?), ref: 00408C20
                                                • CloseHandle.KERNEL32(?), ref: 00408C32
                                                • InternetCloseHandle.WININET(?), ref: 00408C41
                                                • InternetCloseHandle.WININET(00000000), ref: 00408C44
                                                • RemoveDirectoryA.KERNEL32(00000000,?,?,?), ref: 00408CFD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: Internet$File$CloseHandle$OpenRead$CreateDirectoryRemoveWrite
                                                • String ID:
                                                • API String ID: 1496009958-0
                                                • Opcode ID: a03c8a6a5dc2d60af4fabd9a53e78b3c0acd28151ef74d758808e3d68e992827
                                                • Instruction ID: e39da941a42be4000a8416f9d2a6f8c848e32a180712f45a109694aa4e2734ce
                                                • Opcode Fuzzy Hash: a03c8a6a5dc2d60af4fabd9a53e78b3c0acd28151ef74d758808e3d68e992827
                                                • Instruction Fuzzy Hash: 6E71EF71600208ABEB14DF64DD85BEE7735EF44304F50423EF945AB2D1DB38A980CB68
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 0041ED90
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 0041ED9C
                                                • _free.LIBCMT ref: 0041EDA7
                                                • _free.LIBCMT ref: 0041EDB2
                                                • _free.LIBCMT ref: 0041EDBD
                                                • _free.LIBCMT ref: 0041EDC8
                                                • _free.LIBCMT ref: 0041EDD3
                                                • _free.LIBCMT ref: 0041EDDE
                                                • _free.LIBCMT ref: 0041EDE9
                                                • _free.LIBCMT ref: 0041EDF7
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
                                                • Instruction ID: e610bd300bd5c2f85586062e27af9f16ff799e012d6f089a2169b26ee7872c24
                                                • Opcode Fuzzy Hash: b518f20b764996853f57fbd2a3fdc4e7bf3deb810a08f9cd0b2a52dd965201da
                                                • Instruction Fuzzy Hash: ED219CBA910108BFCB41EF96C941DDD7BF6BF88344F00416AF9199B121EB35DA84DB84
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • InternetOpenW.WININET(00434EF4,00000000,00000000,00000000,00000000), ref: 0040425C
                                                • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040426E
                                                • InternetReadFile.WININET(00000000,?,03E80000,03E80000), ref: 00404281
                                                • InternetCloseHandle.WININET(00000000), ref: 00404292
                                                • InternetCloseHandle.WININET(00000000), ref: 00404295
                                                • InternetCloseHandle.WININET(00000000), ref: 004042A3
                                                • InternetCloseHandle.WININET(00000000), ref: 004042A6
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: Internet$CloseHandle$Open$FileRead
                                                • String ID: runas
                                                • API String ID: 4294395943-4000483414
                                                • Opcode ID: ede4e6356156c8ab4243dfa032a0409c686b6a0ba36998d547ea5ec34ec217d5
                                                • Instruction ID: ba1dc25ec83469701d4c7edc2e7ba4793e46b241d410edfdecdbeb0a0fce58bd
                                                • Opcode Fuzzy Hash: ede4e6356156c8ab4243dfa032a0409c686b6a0ba36998d547ea5ec34ec217d5
                                                • Instruction Fuzzy Hash: 4951D571E00108ABDB14DFA4DC41BEEBB75EF85300F60816EF915B7291D7389945CBA8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
                                                • Instruction ID: 5128a0cef717139e7719faf6ed0b9fe75c650819d7ce78bb109199c1610a9dbc
                                                • Opcode Fuzzy Hash: f5ce67aa41b5f7f4889b1a1a20be5028291e55dfd00ef2a2d6d7ad31bcea8bed
                                                • Instruction Fuzzy Hash: D3C114B4B002159FDF11DF99E880BAEBBB0BF49304F51406AE914A7382C7789D81CF69
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                  • Part of subcall function 004232B6: CreateFileW.KERNEL32(00000000,00000000,?,004236A6,?,?,00000000,?,004236A6,00000000,0000000C), ref: 004232D3
                                                • GetLastError.KERNEL32 ref: 00423711
                                                • __dosmaperr.LIBCMT ref: 00423718
                                                • GetFileType.KERNEL32(00000000), ref: 00423724
                                                • GetLastError.KERNEL32 ref: 0042372E
                                                • __dosmaperr.LIBCMT ref: 00423737
                                                • CloseHandle.KERNEL32(00000000), ref: 00423757
                                                • CloseHandle.KERNEL32(?), ref: 004238A4
                                                • GetLastError.KERNEL32 ref: 004238D6
                                                • __dosmaperr.LIBCMT ref: 004238DD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                • String ID:
                                                • API String ID: 4237864984-0
                                                • Opcode ID: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
                                                • Instruction ID: c7b97c56f1a0d1b911df166da15c54d720095dd6c25035754b532be6d98a6b0c
                                                • Opcode Fuzzy Hash: 0d649afaf30192c5c19431845a951fd0479d0f23fa76b0b367cd72335b8b290c
                                                • Instruction Fuzzy Hash: 7CA15872A041149FCF19DF68EC917AE3BB1AB06325F54016EF811AB391CB7C8952CB5A
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free$___from_strstr_to_strchr
                                                • String ID:
                                                • API String ID: 3409252457-0
                                                • Opcode ID: 260dabd453d74701cb9a01dd90e077a135ccfcbca354cdd74d2d71df0f34a932
                                                • Instruction ID: f188bb2de727b7b751c2d84351da10a70f250225146cef8743706f99745805fe
                                                • Opcode Fuzzy Hash: 260dabd453d74701cb9a01dd90e077a135ccfcbca354cdd74d2d71df0f34a932
                                                • Instruction Fuzzy Hash: 0E518C74F44324AFDB24AFB7A881A6E7BB4AF11314F54416FE410972A1EA3D8940CB5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _ValidateLocalCookies.LIBCMT ref: 00419507
                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 0041950F
                                                • _ValidateLocalCookies.LIBCMT ref: 00419598
                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 004195C3
                                                • _ValidateLocalCookies.LIBCMT ref: 00419618
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                • String ID: csm
                                                • API String ID: 1170836740-1018135373
                                                • Opcode ID: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
                                                • Instruction ID: cf6a3be1c1e6f4323defd25786acadca5afaa418f9c93884064ec3a043526e94
                                                • Opcode Fuzzy Hash: 170db4f13a52bbc04fbb15fe7ab42c90d24a7c19ae8ceb0e3c19913b98646896
                                                • Instruction Fuzzy Hash: 09411A31A00214AFCF11DF69C890ADEBBB1BF45318F54806BE8146B352D739DE96CB99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: api-ms-$ext-ms-
                                                • API String ID: 0-537541572
                                                • Opcode ID: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
                                                • Instruction ID: 8946f5363388c355846af12649c4142b4e9cf4c5f65ba016e67a922269825e5f
                                                • Opcode Fuzzy Hash: d346eea9aafd959945e16ecfc9ebbe047e966c499b5e8e0d3b3e0bbc48b51e8c
                                                • Instruction Fuzzy Hash: 3521C672A41221FBCB318A24DC45A9B3778AB017A0F650532ED15A7391D638ED4BC5DC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                  • Part of subcall function 00422353: _free.LIBCMT ref: 00422378
                                                • _free.LIBCMT ref: 004223D9
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 004223E4
                                                • _free.LIBCMT ref: 004223EF
                                                • _free.LIBCMT ref: 00422443
                                                • _free.LIBCMT ref: 0042244E
                                                • _free.LIBCMT ref: 00422459
                                                • _free.LIBCMT ref: 00422464
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
                                                • Instruction ID: 3666b1e76cecdb1a9706d82e7bd79ae187b091a1e89744abee2c0a3d449e73e2
                                                • Opcode Fuzzy Hash: 745ba4c7df38b0c8b3501d58b22aa89868de86b005191e755d783c3d27d16807
                                                • Instruction Fuzzy Hash: C611E471601714BAD921F7B2DD47FCB77DD5F0834CF84881EBACD6A052D6ACB6514604
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetConsoleCP.KERNEL32(?,00405880,00000000), ref: 00423A8E
                                                • __fassign.LIBCMT ref: 00423C6D
                                                • __fassign.LIBCMT ref: 00423C8A
                                                • WriteFile.KERNEL32(?,00405880,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423CD2
                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00423D12
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00423DBE
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: FileWrite__fassign$ConsoleErrorLast
                                                • String ID:
                                                • API String ID: 4031098158-0
                                                • Opcode ID: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
                                                • Instruction ID: 55294dd1ed643e62d688e25fe7fc8b93d32e6dca02253c809cdcf0ede3e7f937
                                                • Opcode Fuzzy Hash: 5a0c35df1f21bdc5310913443ad541efee69954072d07ce9ea6e444a121a2afd
                                                • Instruction Fuzzy Hash: 21D1A075E002689FCF15CFA8D8809EDBBB5BF48314F64016AE455FB342D738AA46CB58
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetLastError.KERNEL32(?,?,004197E7,004193D7,00418C1C), ref: 004197FE
                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041980C
                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00419825
                                                • SetLastError.KERNEL32(00000000,004197E7,004193D7,00418C1C), ref: 00419877
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ErrorLastValue___vcrt_
                                                • String ID:
                                                • API String ID: 3852720340-0
                                                • Opcode ID: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
                                                • Instruction ID: 71a7697fc03e6214697c45e1a132a8316019e6706060db725442c6d2a3e753c8
                                                • Opcode Fuzzy Hash: 0f6e51aa0c255468b6a622d8c735b9b5b069fdda8c7ed9770d7dbe64c9198e0d
                                                • Instruction Fuzzy Hash: F101D8326293115EE62C3B76AE959D72774EF067B8720023FF120441F1EF594C95D58D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                • C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe, xrefs: 00420F81
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                                • API String ID: 0-3338832412
                                                • Opcode ID: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
                                                • Instruction ID: f2c65a4c72dcbe00dc32dc221c8eb50b3435d1ebdf66b1fbb5bbc6e11338d05a
                                                • Opcode Fuzzy Hash: d9fd3d3f386e086f16d5e96c86dfc6c05a3e177acafcacdda8c025444d2164cb
                                                • Instruction Fuzzy Hash: CB210A713001257F97206F71ED81D6BB7ADAF103A8750462BF828D7691D778DC818799
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _wcsrchr
                                                • String ID: .bat$.cmd$.com$.exe
                                                • API String ID: 1752292252-4019086052
                                                • Opcode ID: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
                                                • Instruction ID: baa428b651ab7fadd2aefce0a8d8cefe58070258f098f4f191bca89b56dcb2ea
                                                • Opcode Fuzzy Hash: 19671788b65354572937ca0f5259cacd468799deb2890a42aa5f1fe1ebfecd1d
                                                • Instruction Fuzzy Hash: 7E012B3BA8C635212624101AEC62BF717988B96FB8B25412FF854F72C1ED9DEC8205DC
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: api-ms-
                                                • API String ID: 0-2084034818
                                                • Opcode ID: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
                                                • Instruction ID: 8addbc20e8b4f1572ca5f78bff053ba989236767de5a1c4d832f47c373f0c560
                                                • Opcode Fuzzy Hash: d7b12ed5c3c764c8b82cc7f1cf76b5788b814adb9963f19d14a8505e8bb0b4a8
                                                • Instruction Fuzzy Hash: 2B112C71A12221EBC7314B249D44AAB37689F017B4B624933ED45AB390D738DDE1C5DE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B958
                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041B96B
                                                • FreeLibrary.KERNEL32(00000000,?,?,0041B938,?,?,0041B900,0041BE86,?,NA), ref: 0041B98E
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                • String ID: CorExitProcess$mscoree.dll
                                                • API String ID: 4061214504-1276376045
                                                • Opcode ID: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
                                                • Instruction ID: 6ab08718997dcf592451d77b1cbf540418157bbc441c253cf8170436862d5d78
                                                • Opcode Fuzzy Hash: af14fd2dde53d7be7e540de01eeb28501674720f1683c90e0ca13ac16e635f3d
                                                • Instruction Fuzzy Hash: 52F08230651218FBDB259B50DD0ABEEBA78DF44759F900175A504A1260CB788E46DA98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free$InformationTimeZone
                                                • String ID:
                                                • API String ID: 597776487-0
                                                • Opcode ID: 0fe61e17206dce54771a5055940e70056e7a200eab18ece9396fc025dad7d191
                                                • Instruction ID: 2c4f844ee906d1c5b8a05b7d4d89c1c9074c071bb98950a21f89e01ce9d05ddf
                                                • Opcode Fuzzy Hash: 0fe61e17206dce54771a5055940e70056e7a200eab18ece9396fc025dad7d191
                                                • Instruction Fuzzy Hash: 1FC17835B00128ABDB209F69EC41BAB7BA9EFC5354F94416FE550D7381E7388E01CB88
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetCPInfo.KERNEL32(00874140,00874140,?,7FFFFFFF,?,?,00427265,00874140,00874140,?,00874140,?,?,?,?,00874140), ref: 0042704C
                                                • __alloca_probe_16.LIBCMT ref: 00427102
                                                • __alloca_probe_16.LIBCMT ref: 00427198
                                                • __freea.LIBCMT ref: 00427203
                                                • __freea.LIBCMT ref: 0042720F
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: __alloca_probe_16__freea$Info
                                                • String ID:
                                                • API String ID: 2330168043-0
                                                • Opcode ID: c559a93f2d06cee59e46b38ea2fc726286989e451536d90b3fb509578e86aae3
                                                • Instruction ID: f6d9b8f12c634194a1b411eace1e19527ea88e01b30f60a4b5a6e0b516c13e2d
                                                • Opcode Fuzzy Hash: c559a93f2d06cee59e46b38ea2fc726286989e451536d90b3fb509578e86aae3
                                                • Instruction Fuzzy Hash: 4481E472B082259BDF219EA5AC41EEF7BB5EF09354F98005BF804A7341D62DCC458BB9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • __alloca_probe_16.LIBCMT ref: 00425958
                                                • __alloca_probe_16.LIBCMT ref: 00425A1E
                                                • __freea.LIBCMT ref: 00425A8A
                                                  • Part of subcall function 0041EA8A: RtlAllocateHeap.NTDLL(00000000,?,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EABC
                                                • __freea.LIBCMT ref: 00425A93
                                                • __freea.LIBCMT ref: 00425AB6
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                • String ID:
                                                • API String ID: 1423051803-0
                                                • Opcode ID: 801bfc73f5307c034d341afffc150cc0786828de70bde5b9b10ebb0cec96e4eb
                                                • Instruction ID: 7e0d7c363e2f027523b7077ca53f82abc72318da18e9cc0c3b19bc4bba63112a
                                                • Opcode Fuzzy Hash: 801bfc73f5307c034d341afffc150cc0786828de70bde5b9b10ebb0cec96e4eb
                                                • Instruction Fuzzy Hash: 8351E672700626AFDB209F95EC86EBF37A9EF44764F95422AFC04D7240E778DC418698
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0041C040), ref: 0041C130
                                                • GetFileInformationByHandle.KERNEL32(?,?), ref: 0041C18A
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0041C040,?,000000FF,00000000,00000000), ref: 0041C218
                                                • __dosmaperr.LIBCMT ref: 0041C21F
                                                • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0041C25C
                                                  • Part of subcall function 0041C484: __dosmaperr.LIBCMT ref: 0041C4B9
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                                • String ID:
                                                • API String ID: 1206951868-0
                                                • Opcode ID: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
                                                • Instruction ID: 0071a9752275d4edb8b9c21b1954eb469a97b67ce05b4548820d0adabff3a4d5
                                                • Opcode Fuzzy Hash: 8e7ecedbbb3726c11739f19b321c018a01a8de47d4bdd8436282d5c79af9c44f
                                                • Instruction Fuzzy Hash: B7413C75940204AFDB249FA5DC859EFBBF9EF89700B00452EF856D3610E7389885CB24
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 00422302
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 00422314
                                                • _free.LIBCMT ref: 00422326
                                                • _free.LIBCMT ref: 00422338
                                                • _free.LIBCMT ref: 0042234A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
                                                • Instruction ID: 8eed935d1f0a41e2b9dbe60b1656bd2ba3e28f3ae1fefd92f9cbf16fd4f54630
                                                • Opcode Fuzzy Hash: a090e3dca2e19da394a01cead958df991e42452585b2f6658ee12e14c4d52992
                                                • Instruction Fuzzy Hash: 04F04472501210B78520DBA6F6C2C4B73DAAB94355794180AF809D7641C77CFD81866C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free
                                                • String ID: *?
                                                • API String ID: 269201875-2564092906
                                                • Opcode ID: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
                                                • Instruction ID: 7415b14c5d0124b7c9719d17695bca9e12f23279d28e73ebbb8fdbf8e8460f59
                                                • Opcode Fuzzy Hash: 4349432449d004c56f1fbb459abf86acb5202655a551f523de74eb3488688e5f
                                                • Instruction Fuzzy Hash: 5661A1B5E002299FCB14CFA9D8815EEFBF5EF48314B54816AE805F7301E735AE418B94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: AdjustPointer
                                                • String ID:
                                                • API String ID: 1740715915-0
                                                • Opcode ID: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
                                                • Instruction ID: a8cd01a110c9a5ba9b93cdf8b6ca506de852c713b8af7688bfec1274bd28d331
                                                • Opcode Fuzzy Hash: 7e8d2a906245dc524fe8c50e746b229fe3151c293ccc1eab8f3b2c5d31764d92
                                                • Instruction Fuzzy Hash: 3251D0B2601286AFDB298F15D861BEA77A4EF04314F24012FE84646391E739ECC1C799
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetVersionExW.KERNEL32(0000011C,?,34AAABE9,00000000), ref: 00405479
                                                • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004054E0
                                                • GetProcAddress.KERNEL32(00000000), ref: 004054E7
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: AddressHandleModuleProcVersion
                                                • String ID:
                                                • API String ID: 3310240892-0
                                                • Opcode ID: 3a7e95708154f6916853b84b21f3cd0acf8b247c8ce27c36d8ff6b2a54ddc4e8
                                                • Instruction ID: 1307c1e28f23caf99c3cad6e9d6b2b61846357279e254348caa37701d54b456e
                                                • Opcode Fuzzy Hash: 3a7e95708154f6916853b84b21f3cd0acf8b247c8ce27c36d8ff6b2a54ddc4e8
                                                • Instruction Fuzzy Hash: B8513971900608ABDB14DB24DD497DE7B76EB46314F5042BAE805B73C1DB389EC48F99
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 00425FDE
                                                • _free.LIBCMT ref: 00426007
                                                • SetEndOfFile.KERNEL32(00000000,0042354B,00000000,?,?,?,?,?,?,?,?,0042354B,?,00000000), ref: 00426039
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,0042354B,?,00000000,?,?,?,?,?), ref: 00426055
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFileLast
                                                • String ID:
                                                • API String ID: 1547350101-0
                                                • Opcode ID: 1b46a168150b59dd7f484fb80afce3f9d1467af84aa4dd7d5580741876eb59e2
                                                • Instruction ID: 61c1fed18fa2e053e229d2c366b1320fca6b3d495f3fb51fd3c042a4ee27fee9
                                                • Opcode Fuzzy Hash: 1b46a168150b59dd7f484fb80afce3f9d1467af84aa4dd7d5580741876eb59e2
                                                • Instruction Fuzzy Hash: 6C413E72B006115BDB11ABB5ED41B8E37B6AF44364F560017F424E72D2EB7CC840576D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                  • Part of subcall function 0041BD6F: _free.LIBCMT ref: 0041BD7D
                                                  • Part of subcall function 004218BF: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00425A80,?,00000000,00000000), ref: 00421961
                                                • GetLastError.KERNEL32 ref: 00420950
                                                • __dosmaperr.LIBCMT ref: 00420957
                                                • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00420996
                                                • __dosmaperr.LIBCMT ref: 0042099D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                • String ID:
                                                • API String ID: 167067550-0
                                                • Opcode ID: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
                                                • Instruction ID: 91911ec1de34df9e01eb008ea9a24e12f878ac442d2ad626700c96a69c790fc9
                                                • Opcode Fuzzy Hash: 2cc476a48764411ac7d7f7841f806bb526956e32d48153aac2d156f6a7af72d6
                                                • Instruction Fuzzy Hash: 2721F0B1700225AFA710AF62ACC196B77EDEF00374790851AF86697253D738DCC08B94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetLastError.KERNEL32(?,00000000,?,0041BCED,00000000,?,?,?,0041BE86,?), ref: 0041EE97
                                                • _free.LIBCMT ref: 0041EEF4
                                                • _free.LIBCMT ref: 0041EF2A
                                                • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,?,0041BE86,?), ref: 0041EF35
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: 75c439bd07e5c140abce3c4c364696c07bf38f8c954372fab3069a11bd660fc8
                                                • Instruction ID: 26790fddcd24ef136aadc0cc0bf27d5f777129a8301660e6568487d79e7ca8b5
                                                • Opcode Fuzzy Hash: 75c439bd07e5c140abce3c4c364696c07bf38f8c954372fab3069a11bd660fc8
                                                • Instruction Fuzzy Hash: 2411CA3A6002017AD61427B79CC59EB256997C1779B25013BFD39832D2FE6D8CDB811D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetLastError.KERNEL32(?,?,?,0041C755,0041EACD,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041EFEE
                                                • _free.LIBCMT ref: 0041F04B
                                                • _free.LIBCMT ref: 0041F081
                                                • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,004191D3,?,?,?,?,?,004020F3,?,?), ref: 0041F08C
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ErrorLast_free
                                                • String ID:
                                                • API String ID: 2283115069-0
                                                • Opcode ID: ff05b0e8af83039ccd4e2bcecb2eca9c121a5a1b09bf2688f1c3f19d4c897a95
                                                • Instruction ID: d1a755533480a66cbcbdd6da6f61a8fcfdc6096e1f08231a3cc2ec091d2cf52b
                                                • Opcode Fuzzy Hash: ff05b0e8af83039ccd4e2bcecb2eca9c121a5a1b09bf2688f1c3f19d4c897a95
                                                • Instruction Fuzzy Hash: FB114C322045016AC7102B76ACC1DEB2969DBC8778765023BF92A822E3EF6CCCDF511C
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0041F7E1
                                                • GetLastError.KERNEL32(?,00424658,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104,?), ref: 0041F7EB
                                                • __dosmaperr.LIBCMT ref: 0041F7F2
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ErrorFullLastNamePath__dosmaperr
                                                • String ID:
                                                • API String ID: 2398240785-0
                                                • Opcode ID: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
                                                • Instruction ID: 3e1febbc0a8defaca1089d50814ae8bcfad4f789bcb8220d5dd2739c2ed7ebaf
                                                • Opcode Fuzzy Hash: 05d28394caa5e79c84551c055246600de674f2baba94b68408dd47ae0dfcca9d
                                                • Instruction Fuzzy Hash: 1DF06D36600115BB8B202FA2DD08C9BBFA9FF443A03444136F52DC7561DB35E8A6CBE8
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0041F930,00000000,?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001), ref: 0041F84A
                                                • GetLastError.KERNEL32(?,004245E3,00000000,00000000,0041F930,?,?,00000000,00000000,00000001,00000000,00000000,?,0041F930,00000000,00000104), ref: 0041F854
                                                • __dosmaperr.LIBCMT ref: 0041F85B
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ErrorFullLastNamePath__dosmaperr
                                                • String ID:
                                                • API String ID: 2398240785-0
                                                • Opcode ID: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
                                                • Instruction ID: 5356ccb821a571137923583999cca56af5607f561d8780d9d137012589ba4a16
                                                • Opcode Fuzzy Hash: e95b58acd20ff03b7de0604d3f95648f78153c488b68a8cfe7999cd59df17e1a
                                                • Instruction Fuzzy Hash: FBF01231600115BB8B207BA6DC0499BBFA9FF443A03404536F52DC6521C735E8A6DBD4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,00405880,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880), ref: 004272E6
                                                • GetLastError.KERNEL32(?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880,?,0042436F,00405880), ref: 004272F2
                                                  • Part of subcall function 004272B8: CloseHandle.KERNEL32(FFFFFFFE,00427302,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000,00405880), ref: 004272C8
                                                • ___initconout.LIBCMT ref: 00427302
                                                  • Part of subcall function 0042727A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004272A9,004269D4,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 0042728D
                                                • WriteConsoleW.KERNEL32(00405880,00000000,00437A28,00000000,?,004269E7,00405880,00000001,00405880,00405880,?,00423E1B,00000000,?,00405880,00000000), ref: 00427317
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                • String ID:
                                                • API String ID: 2744216297-0
                                                • Opcode ID: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
                                                • Instruction ID: 5b8baa1da4bb66d128bbbdf819d740daca6d0282673a7c9b135cb97f91750bdc
                                                • Opcode Fuzzy Hash: 654839e4b531a485c8561e35f9c6b1b80fe1c4fa203d6a6e5454fb2027dc39d5
                                                • Instruction Fuzzy Hash: 46F01C36201129FBCF221F95EC04A8A3F66FF093A1B814075FE1C86231D6328820EB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: CreateThread$Sleep
                                                • String ID:
                                                • API String ID: 422425972-0
                                                • Opcode ID: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
                                                • Instruction ID: 3e58bb4c01d1f945cb402fb00719d76fe511b7683de936d62f19d1048555ce50
                                                • Opcode Fuzzy Hash: c7ec29c90368d79a70c95a5ee9845132da8938ab2cedaa7c12f416f09ab0d9a8
                                                • Instruction Fuzzy Hash: 69E09231BE8334B6F47126A45C03F891E545B08F95FB20023B70CBE4D084C87485CAEE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • _free.LIBCMT ref: 0041D822
                                                  • Part of subcall function 0041E5A1: HeapFree.KERNEL32(00000000,00000000,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?), ref: 0041E5B7
                                                  • Part of subcall function 0041E5A1: GetLastError.KERNEL32(?,?,0042237D,?,00000000,?,?,?,004223A4,?,00000007,?,?,004227A6,?,?), ref: 0041E5C9
                                                • _free.LIBCMT ref: 0041D835
                                                • _free.LIBCMT ref: 0041D846
                                                • _free.LIBCMT ref: 0041D857
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: _free$ErrorFreeHeapLast
                                                • String ID:
                                                • API String ID: 776569668-0
                                                • Opcode ID: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
                                                • Instruction ID: 2f128d3171f244c94fc48b8332bc88089a284fec835ab8af747093701a289460
                                                • Opcode Fuzzy Hash: 5b4b832eec97106c71e74c3abf3533cea5e390173416251ec6b9798646083543
                                                • Instruction Fuzzy Hash: C3E04FB4801520AFCE012F53FE055953BA2FB947EC340302AF81406232DB390261EFCE
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • std::_Xinvalid_argument.LIBCPMT ref: 00412FEF
                                                  • Part of subcall function 00416F50: Concurrency::cancel_current_task.LIBCPMT ref: 00417083
                                                Strings
                                                • invalid stoi argument, xrefs: 00412FEA
                                                • stoi argument out of range, xrefs: 00412FF9
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_
                                                • String ID: invalid stoi argument$stoi argument out of range
                                                • API String ID: 3646673767-1606216832
                                                • Opcode ID: b8df3df11c9997a28d75ab609b373ec4d34966bb998b75cd7ce6713ad255ec23
                                                • Instruction ID: 6d18bec53ddcbea06decae191a6eae5fb5e1180c669e5708db714ed38e612d95
                                                • Opcode Fuzzy Hash: b8df3df11c9997a28d75ab609b373ec4d34966bb998b75cd7ce6713ad255ec23
                                                • Instruction Fuzzy Hash: 60E1D171A001189BEF28DF28CE857DDBB72EB46304F50819EE419972C1DB799AD1CF98
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: C:\Users\user\AppData\Local\Temp\e94c2b28f2\rovwer.exe
                                                • API String ID: 0-3338832412
                                                • Opcode ID: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
                                                • Instruction ID: 3e019bb9f1f37e8f56b3af26f626c64f14fa1fa210d5d8f79d997b38734a4c96
                                                • Opcode Fuzzy Hash: 31fa4e4f4f0bc981144b5b3ffc5fea1ddf45f4662b4ea0433f5b95f05539bbed
                                                • Instruction Fuzzy Hash: 9A41A271A80214AFDB11DF9A9CC19EFBBB9EB85710F10006BF40497251D7788E82CB5D
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 00419F02
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: EncodePointer
                                                • String ID: MOC$RCC
                                                • API String ID: 2118026453-2084237596
                                                • Opcode ID: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
                                                • Instruction ID: ef4240616421f5d170a5d1c4fd7b0d446090a164c11462a96303fe54a6744129
                                                • Opcode Fuzzy Hash: 56cf5a80f9e67a63b3ea8228320d3624bd09d448c8f94bbe6aa890cfa768ed17
                                                • Instruction Fuzzy Hash: 5C414872900209EFCF16DF98C981AEEBBB5FF48304F18819AF904A7251D3399DA1DB55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00412D18
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: FileModuleName
                                                • String ID: .$5120
                                                • API String ID: 514040917-2446372808
                                                • Opcode ID: f99830547a012116d5b52b04e72eafd6a293cbb33d9ac81bb1d8b6fc8795619a
                                                • Instruction ID: 9696d8c15566c1d42fadb68592e21f39738dfdc301de5d2260ec8dd83da14f2d
                                                • Opcode Fuzzy Hash: f99830547a012116d5b52b04e72eafd6a293cbb33d9ac81bb1d8b6fc8795619a
                                                • Instruction Fuzzy Hash: D421E2B09002489BDB14EF69C90A7DD7FB49F06348F5001CEE44567282D7B99A498BE7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                APIs
                                                  • Part of subcall function 0041FDF2: EnterCriticalSection.KERNEL32(00405880,?,00424223,00405880,00437D48,00000010,0041EA11,00000000,C032C301,00000000,00000000,00405880,?,0041BB1A,00405880,00000000), ref: 0041FE0D
                                                • FlushFileBuffers.KERNEL32(00000000,00437D28,0000000C,00423A2E,nA,?,00000001,?,0041E96E,?), ref: 00423970
                                                • GetLastError.KERNEL32 ref: 00423981
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.346421950.0000000000400000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                • Associated: 00000005.00000002.346893463.000000000043E000.00000040.00000001.01000000.00000004.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_400000_rovwer.jbxd
                                                Similarity
                                                • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                                                • String ID: nA
                                                • API String ID: 4109680722-4035868545
                                                • Opcode ID: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
                                                • Instruction ID: 0418fce989e2f534913a4f38d2ce8aa3e5464a19317c2ea272403c313fbf0c0e
                                                • Opcode Fuzzy Hash: f003fc8eaf19488ae7f9339aa40c70496bc05c9f4a2d22a8ae3e610d030b7c35
                                                • Instruction Fuzzy Hash: 45018076B002108FC714AF69E90569D7BB5AF49724F50412FF4219B3D2DBBC9982CB98
                                                Uniqueness

                                                Uniqueness Score: -1.00%